From 61f59ee0e8a50fc15f0899fda828d9d0ea0b0ad6 Mon Sep 17 00:00:00 2001 From: vindenesen Date: Thu, 19 Sep 2019 19:52:06 +0200 Subject: Added setting for tls-auth. Added check for if tls_cert and tls_key was defined. --- src/conf_mode/interface-openvpn.py | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) (limited to 'src/conf_mode/interface-openvpn.py') diff --git a/src/conf_mode/interface-openvpn.py b/src/conf_mode/interface-openvpn.py index 34c094862..7b3e57d7d 100755 --- a/src/conf_mode/interface-openvpn.py +++ b/src/conf_mode/interface-openvpn.py @@ -171,6 +171,10 @@ crl-verify {{ tls_crl }} dh {{ tls_dh }} {% endif %} +{%- if tls_auth %} +tls-auth {{tls_auth}} +{% endif %} + {%- if 'active' in tls_role %} tls-client {%- elif 'passive' in tls_role %} @@ -277,6 +281,7 @@ default_config_data = { 'server_topology': '', 'shared_secret_file': '', 'tls': False, + 'tls_auth': '', 'tls_ca_cert': '', 'tls_cert': '', 'tls_crl': '', @@ -532,6 +537,11 @@ def get_config(): if conf.exists('server reject-unconfigured-clients'): openvpn['server_reject_unconfigured'] = True + # File containing TLS auth static key + if conf.exists('tls auth-file'): + openvpn['tls_auth'] = conf.return_value('tls auth-file') + openvpn['tls'] = True + # File containing certificate for Certificate Authority (CA) if conf.exists('tls ca-cert-file'): openvpn['tls_ca_cert'] = conf.return_value('tls ca-cert-file') @@ -714,11 +724,17 @@ def verify(openvpn): if not checkCertHeader('-----BEGIN CERTIFICATE-----', openvpn['tls_ca_cert']): raise ConfigError('Specified ca-cert-file "{}" is invalid'.format(openvpn['tls_ca_cert'])) - if not checkCertHeader('-----BEGIN CERTIFICATE-----', openvpn['tls_cert']): - raise ConfigError('Specified cert-file "{}" is invalid'.format(openvpn['tls_cert'])) + if openvpn['tls_auth']: + if not checkCertHeader('-----BEGIN OpenVPN Static key V1-----', openvpn['tls_auth']): + raise ConfigError('Specified auth-file "{}" is invalid'.format(openvpn['tls_auth'])) + + if openvpn['tls_cert']: + if not checkCertHeader('-----BEGIN CERTIFICATE-----', openvpn['tls_cert']): + raise ConfigError('Specified cert-file "{}" is invalid'.format(openvpn['tls_cert'])) - if not checkCertHeader('-----BEGIN (?:RSA )?PRIVATE KEY-----', openvpn['tls_key']): - raise ConfigError('Specified key-file "{}" is not valid'.format(openvpn['tls_key'])) + if openvpn['tls_key']: + if not checkCertHeader('-----BEGIN (?:RSA )?PRIVATE KEY-----', openvpn['tls_key']): + raise ConfigError('Specified key-file "{}" is not valid'.format(openvpn['tls_key'])) if openvpn['tls_crl']: if not checkCertHeader('-----BEGIN X509 CRL-----', openvpn['tls_crl']): @@ -730,7 +746,8 @@ def verify(openvpn): if openvpn['tls_role']: if openvpn['mode'] in ['client', 'server']: - raise ConfigError('Cannot specify "tls role" in client-server mode') + if not openvpn['tls_auth']: + raise ConfigError('Cannot specify "tls role" in client-server mode') if openvpn['tls_role'] == 'active': if openvpn['protocol'] == 'tcp-passive': -- cgit v1.2.3 From 9334c9428c4dcf8d575bfb50d6a33d10b67b5e14 Mon Sep 17 00:00:00 2001 From: vindenesen Date: Thu, 19 Sep 2019 20:31:58 +0200 Subject: OpenVPN - Added setting for minimum tls version --- interface-definitions/interfaces-openvpn.xml | 23 +++++++++++++++++++++++ src/conf_mode/interface-openvpn.py | 9 +++++++++ 2 files changed, 32 insertions(+) (limited to 'src/conf_mode/interface-openvpn.py') diff --git a/interface-definitions/interfaces-openvpn.xml b/interface-definitions/interfaces-openvpn.xml index d282a8773..39fa8e6a6 100644 --- a/interface-definitions/interfaces-openvpn.xml +++ b/interface-definitions/interfaces-openvpn.xml @@ -543,6 +543,29 @@ File containing this host's private key + + + Specify the minimum required TLS version + + 1.0 1.1 1.2 + + + 1.0 + TLS v1.0 + + + 1.1 + TLS v1.1 + + + 1.2 + TLS v1.2 + + + (1.0|1.1|1.2) + + + File containing this host's private key diff --git a/src/conf_mode/interface-openvpn.py b/src/conf_mode/interface-openvpn.py index 34c094862..495ddfdf5 100755 --- a/src/conf_mode/interface-openvpn.py +++ b/src/conf_mode/interface-openvpn.py @@ -167,6 +167,10 @@ key {{ tls_key }} crl-verify {{ tls_crl }} {% endif %} +{%- if tls_version_min %} +tls-version-min {{tls_version_min}} +{% endif %} + {%- if tls_dh %} dh {{ tls_dh }} {% endif %} @@ -283,6 +287,7 @@ default_config_data = { 'tls_dh': '', 'tls_key': '', 'tls_role': '', + 'tls_version_min': '', 'type': 'tun', 'uid': user, 'gid': group, @@ -562,6 +567,10 @@ def get_config(): openvpn['tls_role'] = conf.return_value('tls role') openvpn['tls'] = True + # Minimum required TLS version + if conf.exists('tls minimum-tls-version'): + openvpn['tls_version_min'] = conf.return_value('tls minimum-tls-version') + if conf.exists('shared-secret-key-file'): openvpn['shared_secret_file'] = conf.return_value('shared-secret-key-file') -- cgit v1.2.3 From 87500058e11f6846a5ba18dfa17ea685bcdca5ae Mon Sep 17 00:00:00 2001 From: vindenesen Date: Fri, 20 Sep 2019 13:52:44 +0200 Subject: OpenVPN - changed tls-minimum-version to tls-version-min --- interface-definitions/interfaces-openvpn.xml | 2 +- src/conf_mode/interface-openvpn.py | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) (limited to 'src/conf_mode/interface-openvpn.py') diff --git a/interface-definitions/interfaces-openvpn.xml b/interface-definitions/interfaces-openvpn.xml index 39fa8e6a6..f11f27e23 100644 --- a/interface-definitions/interfaces-openvpn.xml +++ b/interface-definitions/interfaces-openvpn.xml @@ -543,7 +543,7 @@ File containing this host's private key - + Specify the minimum required TLS version diff --git a/src/conf_mode/interface-openvpn.py b/src/conf_mode/interface-openvpn.py index 495ddfdf5..984410eb1 100755 --- a/src/conf_mode/interface-openvpn.py +++ b/src/conf_mode/interface-openvpn.py @@ -568,8 +568,8 @@ def get_config(): openvpn['tls'] = True # Minimum required TLS version - if conf.exists('tls minimum-tls-version'): - openvpn['tls_version_min'] = conf.return_value('tls minimum-tls-version') + if conf.exists('tls tls-version-min'): + openvpn['tls_version_min'] = conf.return_value('tls tls-version-min') if conf.exists('shared-secret-key-file'): openvpn['shared_secret_file'] = conf.return_value('shared-secret-key-file') -- cgit v1.2.3