From 77dde087219467ce8bfcf64a9f7452ca74d66c0c Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 20 Mar 2020 16:39:50 +0100 Subject: sstp: T2008: move to vpn node --- src/migration-scripts/sstp/0-to-1 | 56 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100755 src/migration-scripts/sstp/0-to-1 (limited to 'src/migration-scripts') diff --git a/src/migration-scripts/sstp/0-to-1 b/src/migration-scripts/sstp/0-to-1 new file mode 100755 index 000000000..0fe1a203f --- /dev/null +++ b/src/migration-scripts/sstp/0-to-1 @@ -0,0 +1,56 @@ +#!/usr/bin/env python3 +# +# Copyright (C) 2020 VyOS maintainers and contributors +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License version 2 or later as +# published by the Free Software Foundation. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +# - migrate from "service sstp-server" to "vpn sstp" + +import os +import sys + +from vyos.configtree import ConfigTree + +if (len(sys.argv) < 1): + print("Must specify file name!") + sys.exit(1) + +file_name = sys.argv[1] + +with open(file_name, 'r') as f: + config_file = f.read() + +config = ConfigTree(config_file) +old_base = ['service', 'sstp-server'] +if not config.exists(old_base): + # Nothing to do + sys.exit(0) +else: + # ensure new base path exists + if not config.exists(['vpn']): + config.set(['vpn']) + + new_base = ['vpn', 'sstp'] + # copy entire tree + config.copy(old_base, new_base) + config.delete(old_base) + + print(config.to_string()) + sys.exit(1) + + try: + with open(file_name, 'w') as f: + f.write(config.to_string()) + except OSError as e: + print("Failed to save the modified config: {}".format(e)) + sys.exit(1) -- cgit v1.2.3 From 106406d46ba594b86056e3341314e9615a501dd5 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 20 Mar 2020 17:44:25 +0100 Subject: sstp: T2008: dns: unwind configuration --- interface-definitions/vpn-sstp.xml.in | 28 +++++----------------------- src/conf_mode/vpn_sstp.py | 21 ++++++++++----------- src/migration-scripts/sstp/0-to-1 | 13 +++++++++++++ 3 files changed, 28 insertions(+), 34 deletions(-) (limited to 'src/migration-scripts') diff --git a/interface-definitions/vpn-sstp.xml.in b/interface-definitions/vpn-sstp.xml.in index c7c3c3ea5..e2d6aa75e 100644 --- a/interface-definitions/vpn-sstp.xml.in +++ b/interface-definitions/vpn-sstp.xml.in @@ -5,7 +5,7 @@ Secure Socket Tunneling Protocol (SSTP) server - 900 + 901 @@ -318,14 +318,9 @@ - + DNS servers propagated to clients - - - - - Primary DNS Server ipv4 IPv4 address @@ -333,22 +328,9 @@ - - - - - Secondary DNS Server - - ipv4 - IPv4 address - - - - - - - - + + + #include diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py index 12d62ad70..e0ebb2ad9 100755 --- a/src/conf_mode/vpn_sstp.py +++ b/src/conf_mode/vpn_sstp.py @@ -91,12 +91,9 @@ gw-ip-address={{gw}} {% if dnsv4 %} [dns] -{% if dnsv4['primary'] %} -dns1={{dnsv4['primary']}} -{% endif -%} -{% if dnsv4['secondary'] %} -dns2={{dnsv4['secondary']}} -{% endif -%} +{% for dns in dnsv4 -%} +dns{{ loop.index }}={{ dns }} +{% endfor -%} {% endif %} {% if authentication['mode'] == 'local' %} @@ -252,7 +249,7 @@ def get_config(): }, 'ip_pool' : [], 'gw' : None, - 'dnsv4' : {}, + 'dnsv4' : [], 'mtu' : None, 'ppp' : {}, } @@ -352,10 +349,8 @@ def get_config(): config_data['ip_pool'] = c.return_values('network-settings client-ip-settings subnet') if c.exists('network-settings client-ip-settings gateway-address'): config_data['gw'] = c.return_value('network-settings client-ip-settings gateway-address') - if c.exists('network-settings dns-server primary-dns'): - config_data['dnsv4']['primary'] = c.return_value('network-settings dns-server primary-dns') - if c.exists('network-settings dns-server secondary-dns'): - config_data['dnsv4']['secondary'] = c.return_value('network-settings dns-server secondary-dns') + if c.exists('network-settings name-server'): + config_data['dnsv4'] = c.return_values('network-settings name-server') if c.exists('network-settings mtu'): config_data['mtu'] = c.return_value('network-settings mtu') @@ -374,6 +369,7 @@ def get_config(): def verify(c): if c == None: return None + ### vertify auth settings if c['authentication']['mode'] == 'local': if not c['authentication']['local-users']: @@ -390,6 +386,9 @@ def verify(c): if not c['authentication']['local-users'][usr]['upload']: raise ConfigError('user ' + usr + ' requires upload speed value') + if len(c['dnsv4']) > 2: + raise ConfigError("Only 2 DNS name-servers can be configured") + if not c['certs']['ca'] or not c['certs']['server-key'] or not c['certs']['server-cert']: raise ConfigError('service sstp-server sstp-settings ssl-certs needs the ssl certificates set up') else: diff --git a/src/migration-scripts/sstp/0-to-1 b/src/migration-scripts/sstp/0-to-1 index 0fe1a203f..88d3b4fb4 100755 --- a/src/migration-scripts/sstp/0-to-1 +++ b/src/migration-scripts/sstp/0-to-1 @@ -45,6 +45,19 @@ else: config.copy(old_base, new_base) config.delete(old_base) + # migrate DNS servers + dns_base = new_base + ['network-settings', 'dns-server'] + if config.exists(dns_base): + if config.exists(dns_base + ['primary-dns']): + dns = config.return_value(dns_base + ['primary-dns']) + config.set(new_base + ['network-settings', 'name-server'], value=dns, replace=False) + + if config.exists(dns_base + ['secondary-dns']): + dns = config.return_value(dns_base + ['secondary-dns']) + config.set(new_base + ['network-settings', 'name-server'], value=dns, replace=False) + + config.delete(dns_base) + print(config.to_string()) sys.exit(1) -- cgit v1.2.3 From 86e47301786da64a035156edd24ed2ec89918a49 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 20 Mar 2020 21:54:05 +0100 Subject: sstp: T2110: use uniform RADIUS CLI syntax - migrate RADIUS configuration to a more uniform syntax accross the system - authentication radius-server x.x.x.x to authentication radius server x.x.x.x - authentication radius-settings to authentication radius --- interface-definitions/vpn-sstp.xml.in | 72 ++++++++----------- src/conf_mode/vpn_sstp.py | 132 ++++++++++++++++++---------------- src/migration-scripts/sstp/0-to-1 | 51 ++++++++++++- 3 files changed, 150 insertions(+), 105 deletions(-) (limited to 'src/migration-scripts') diff --git a/interface-definitions/vpn-sstp.xml.in b/interface-definitions/vpn-sstp.xml.in index e2d6aa75e..1508c3313 100644 --- a/interface-definitions/vpn-sstp.xml.in +++ b/interface-definitions/vpn-sstp.xml.in @@ -113,37 +113,23 @@ - - - IP address of RADIUS server - - ipv4 - IP address of RADIUS server - - - - - - Key for accessing the specified server - - - - - Maximum number of simultaneous requests to server (default: unlimited) - - - - - If server does not responds mark it as unavailable for this time (seconds) - - - - - - - RADIUS settings - + #include + + + + + + Maximum number of simultaneous requests to server (default: unlimited) + + + + + If server does not responds mark it as unavailable for this time (seconds) + + + + Timeout to wait response from server (seconds) @@ -151,22 +137,22 @@ - Timeout to wait reply for Interim-Update packets. (default 3 seconds) + Timeout for Interim-Update packets (default 3 seconds) - Maximum number of tries to send Access-Request/Accounting-Request queries + Maximum tries for Access-Request/Accounting-Request queries - Value to send to RADIUS server in NAS-Identifier attribute and to be matched in DM/CoA requests. + NAS-Identifier attribute sent to RADIUS - Value to send to RADIUS server in NAS-IP-Address attribute and to be matched in DM/CoA requests. Also DM/CoA server will bind to that address. + NAS-IP-Address attribute sent to RADIUS @@ -175,14 +161,14 @@ ipv4 NAS-IP-Address Attribute Value - - - + + + - IPv4 address and port to bind Dynamic Authorization Extension server (DM/CoA) + Dynamic Authorization Extension/Change of Authorization server - + IP address for Dynamic Authorization Extension server (DM/CoA) @@ -207,7 +193,7 @@ - + Secret for Dynamic Authorization Extension server (DM/CoA) @@ -221,17 +207,17 @@ - Specifies which radius attribute contains rate information. (default is Filter-Id) + Specifies RADIUS attribute containing rate information (default 'Filter-Id') - Specifies the vendor dictionary. (dictionary needs to be in /usr/share/accel-ppp/radius) + Specifies vendor dictionary (needs to be in /usr/share/accel-ppp/radius) - Enables Bandwidth shaping via RADIUS + Enable RADIUS bandwidth shaping diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py index 362eeddbb..e8c5155dd 100755 --- a/src/conf_mode/vpn_sstp.py +++ b/src/conf_mode/vpn_sstp.py @@ -100,27 +100,26 @@ chap-secrets=/etc/accel-ppp/sstp/chap-secrets [radius] verbose=1 {% for r in radius_server %} -server={{ r.server }},{{ r.secret }},req-limit={{ r.req_limit }},fail-time={{ r.fail_time }} +server={{ r.server }},{{ r.key }},auth-port={{ r.port }},req-limit={{ r.req_limit }},fail-time={{ r.fail_time }} {% endfor -%} -{% if radius_acct_tmo %} acct-timeout={{ radius_acct_tmo }} -{% endif -%} -{% if radius_timeout %} timeout={{ radius_timeout }} -{% endif -%} -{% if rad_max_try %} -max-try={{ rad_max_try }} -{% endif -%} +max-try={{ radius_max_try }} + {% if radius_nas_id %} nas-identifier={{ radius_nas_id }} {% endif -%} {% if radius_nas_ip %} nas-ip-address={{ radius_nas_ip }} {% endif -%} +{% if radius_source_address %} +bind={{ radius_source_address }} +{% endif -%} + -{% if radius_dae %} -dae-server={{ radius_dae.server }}:{{ radius_dae.port }},{{ radius_dae.secret }} +{% if radius_dynamic_author %} +dae-server={{ radius_dynamic_author.server }}:{{ radius_dynamic_author.port }},{{ radius_dynamic_author.key }} {% endif -%} {% endif %} @@ -207,14 +206,15 @@ default_config_data = { 'auth_mode' : 'local', 'auth_proto' : [], 'radius_server' : [], - 'radius_acct_tmo' : '', - 'radius_max_try' : '', - 'radius_timeout' : '', + 'radius_acct_tmo' : '3', + 'radius_max_try' : '3', + 'radius_timeout' : '3', 'radius_nas_id' : '', 'radius_nas_ip' : '', + 'radius_source_address' : '', 'radius_shaper_attr' : '', 'radius_shaper_vendor': '', - 'radius_dae' : {}, + 'radius_dynamic_author' : '', 'ssl_ca' : '', 'ssl_cert' : '', 'ssl_key' : '', @@ -279,76 +279,84 @@ def get_config(): # # RADIUS auth and settings - conf.set_level(base_path) - if conf.exists(['authentication', 'radius-server']): - for server in conf.list_nodes(['authentication', 'radius-server']): + conf.set_level(base_path + ['authentication', 'radius']) + if conf.exists(['server']): + for server in conf.list_nodes(['server']): radius = { 'server' : server, - 'secret' : '', + 'key' : '', 'fail_time' : 0, + 'port' : '1812', 'req_limit' : 0 } - conf.set_level(base_path + ['authentication', 'radius-server', server]) - - if conf.exists(['secret']): - radius['secret'] = conf.return_value(['secret']) + conf.set_level(base_path + ['authentication', 'radius', 'server', server]) if conf.exists(['fail-time']): radius['fail-time'] = conf.return_value(['fail-time']) + if conf.exists(['port']): + radius['port'] = conf.return_value(['port']) + if conf.exists(['req-limit']): radius['req_limit'] = conf.return_value(['req-limit']) - sstp['radius_server'].append(radius) + if conf.exists(['key']): + radius['key'] = conf.return_value(['key']) + + if not conf.exists(['disable']): + sstp['radius_server'].append(radius) + # # advanced radius-setting - conf.set_level(base_path + ['authentication', 'radius-settings']) - if conf.exists([]): - if conf.exists(['acct-timeout']): - sstp['radius_acct_tmo'] = conf.return_value(['acct-timeout']) + conf.set_level(base_path + ['authentication', 'radius']) - if conf.exists(['max-try']): - sstp['radius_max_try'] = conf.return_value(['max-try']) + if conf.exists(['acct-timeout']): + sstp['radius_acct_tmo'] = conf.return_value(['acct-timeout']) - if conf.exists(['timeout']): - sstp['radius_timeout'] = conf.return_value(['timeout']) + if conf.exists(['max-try']): + sstp['radius_max_try'] = conf.return_value(['max-try']) - if conf.exists(['nas-identifier']): - sstp['radius_nas_id'] = conf.return_value(['nas-identifier']) + if conf.exists(['timeout']): + sstp['radius_timeout'] = conf.return_value(['timeout']) - if conf.exists(['nas-ip-address']): - sstp['radius_nas_ip'] = conf.return_value(['nas-ip-address']) + if conf.exists(['nas-identifier']): + sstp['radius_nas_id'] = conf.return_value(['nas-identifier']) - # Dynamic Authorization Extensions (DOA)/ - # Change Of Authentication (COA) - if conf.exists(['dae-server']): - dae = { - 'port' : '', - 'server' : '', - 'secret' : '' - } + if conf.exists(['nas-ip-address']): + sstp['radius_nas_ip'] = conf.return_value(['nas-ip-address']) - if conf.exists(['ip-address']): - dae['server'] = conf.return_value(['ip-address']) + if conf.exists(['source-address']): + sstp['radius_source_address'] = conf.return_value(['source-address']) + + # Dynamic Authorization Extensions (DOA)/Change Of Authentication (COA) + if conf.exists(['dynamic-author']): + dae = { + 'port' : '', + 'server' : '', + 'key' : '' + } - if conf.exists(['port']): - dae['port'] = conf.return_value(['port']) + if conf.exists(['dynamic-author', 'server']): + dae['server'] = conf.return_value(['dynamic-author', 'server']) - if conf.exists(['secret']): - dae['secret'] = conf.return_value(['secret']) + if conf.exists(['dynamic-author', 'port']): + dae['port'] = conf.return_value(['dynamic-author', 'port']) - sstp['radius_dae'] = dae + if conf.exists(['dynamic-author', 'key']): + dae['key'] = conf.return_value(['dynamic-author', 'key']) - if conf.exists(['rate-limit', 'enable']): - sstp['radius_shaper_attr'] = 'Filter-Id' - c_attr = ['rate-limit', 'enable', 'attribute'] - if conf.exists(c_attr): - sstp['radius_shaper_attr'] = conf.return_value(c_attr) + sstp['radius_dynamic_author'] = dae - c_vendor = ['rate-limit', 'enable', 'vendor'] - if conf.exists(c_vendor): - sstp['radius_shaper_vendor'] = conf.return_value(c_vendor) + if conf.exists(['rate-limit', 'enable']): + sstp['radius_shaper_attr'] = 'Filter-Id' + c_attr = ['rate-limit', 'enable', 'attribute'] + if conf.exists(c_attr): + sstp['radius_shaper_attr'] = conf.return_value(c_attr) + + c_vendor = ['rate-limit', 'enable', 'vendor'] + if conf.exists(c_vendor): + sstp['radius_shaper_vendor'] = conf.return_value(c_vendor) # # authentication protocols @@ -466,8 +474,8 @@ def verify(sstp): raise ConfigError('RADIUS authentication requires at least one server') for radius in sstp['radius_server']: - if not radius['secret']: - raise ConfigError(f"Missing RADIUS secret for server {{ radius['server'] }}") + if not radius['key']: + raise ConfigError(f"Missing RADIUS secret for server {{ radius['key'] }}") def generate(sstp): if sstp is None: @@ -486,6 +494,9 @@ def generate(sstp): f.write(config_text) os.chmod(chap_secrets, S_IRUSR | S_IWUSR | S_IRGRP ) + else: + if os.path.exists(chap_secrets): + os.unlink(chap_secrets) return sstp @@ -526,6 +537,7 @@ def apply(sstp): else: accel_cmd('restart') + if __name__ == '__main__': try: c = get_config() diff --git a/src/migration-scripts/sstp/0-to-1 b/src/migration-scripts/sstp/0-to-1 index 88d3b4fb4..652a2662f 100755 --- a/src/migration-scripts/sstp/0-to-1 +++ b/src/migration-scripts/sstp/0-to-1 @@ -14,7 +14,12 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . + # - migrate from "service sstp-server" to "vpn sstp" +# - remove primary/secondary identifier from nameserver +# - migrate RADIUS configuration to a more uniform syntax accross the system +# - authentication radius-server x.x.x.x to authentication radius server x.x.x.x +# - authentication radius-settings to authentication radius import os import sys @@ -58,8 +63,50 @@ else: config.delete(dns_base) - print(config.to_string()) - sys.exit(1) + + # migrate radius options - copy subtree + # thus must happen before migration of the individual RADIUS servers + old_options = new_base + ['authentication', 'radius-settings'] + new_options = new_base + ['authentication', 'radius'] + config.copy(old_options, new_options) + config.delete(old_options) + + + # migrate radius dynamic author / change of authorisation server + dae_old = new_base + ['authentication', 'radius', 'dae-server'] + if config.exists(dae_old): + config.rename(dae_old, 'dynamic-author') + dae_new = new_base + ['authentication', 'radius', 'dynamic-author'] + + if config.exists(dae_new + ['ip-address']): + config.rename(dae_new + ['ip-address'], 'server') + + if config.exists(dae_new + ['secret']): + config.rename(dae_new + ['secret'], 'key') + + + # migrate radius server + radius_server = new_base + ['authentication', 'radius-server'] + if config.exists(radius_server): + for server in config.list_nodes(radius_server): + base = radius_server + [server] + new = new_base + ['authentication', 'radius', 'server', server] + + # convert secret to key + if config.exists(base + ['secret']): + tmp = config.return_value(base + ['secret']) + config.set(new + ['key'], value=tmp) + + if config.exists(base + ['fail-time']): + tmp = config.return_value(base + ['fail-time']) + config.set(new + ['fail-time'], value=tmp) + + if config.exists(base + ['req-limit']): + tmp = config.return_value(base + ['req-limit']) + config.set(new + ['req-limit'], value=tmp) + + config.set_tag(new_base + ['authentication', 'radius', 'server']) + config.delete(radius_server) try: with open(file_name, 'w') as f: -- cgit v1.2.3 From a8920a1f13e6091355d33541802b1486c0cfa653 Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 20 Mar 2020 23:07:43 +0100 Subject: sstp: T2008: remove req-limit config node Limiting the amount of requests passed to a server seems to be the wrong way to tackle a problem. --- interface-definitions/vpn-sstp.xml.in | 5 ----- src/conf_mode/vpn_sstp.py | 8 ++------ src/migration-scripts/sstp/0-to-1 | 5 +---- 3 files changed, 3 insertions(+), 15 deletions(-) (limited to 'src/migration-scripts') diff --git a/interface-definitions/vpn-sstp.xml.in b/interface-definitions/vpn-sstp.xml.in index 1508c3313..bb851608c 100644 --- a/interface-definitions/vpn-sstp.xml.in +++ b/interface-definitions/vpn-sstp.xml.in @@ -118,11 +118,6 @@ - - - Maximum number of simultaneous requests to server (default: unlimited) - - If server does not responds mark it as unavailable for this time (seconds) diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py index e8c5155dd..09de7d112 100755 --- a/src/conf_mode/vpn_sstp.py +++ b/src/conf_mode/vpn_sstp.py @@ -100,7 +100,7 @@ chap-secrets=/etc/accel-ppp/sstp/chap-secrets [radius] verbose=1 {% for r in radius_server %} -server={{ r.server }},{{ r.key }},auth-port={{ r.port }},req-limit={{ r.req_limit }},fail-time={{ r.fail_time }} +server={{ r.server }},{{ r.key }},auth-port={{ r.port }},req-limit=0,fail-time={{ r.fail_time }} {% endfor -%} acct-timeout={{ radius_acct_tmo }} @@ -286,8 +286,7 @@ def get_config(): 'server' : server, 'key' : '', 'fail_time' : 0, - 'port' : '1812', - 'req_limit' : 0 + 'port' : '1812' } conf.set_level(base_path + ['authentication', 'radius', 'server', server]) @@ -298,9 +297,6 @@ def get_config(): if conf.exists(['port']): radius['port'] = conf.return_value(['port']) - if conf.exists(['req-limit']): - radius['req_limit'] = conf.return_value(['req-limit']) - if conf.exists(['key']): radius['key'] = conf.return_value(['key']) diff --git a/src/migration-scripts/sstp/0-to-1 b/src/migration-scripts/sstp/0-to-1 index 652a2662f..2edf76a56 100755 --- a/src/migration-scripts/sstp/0-to-1 +++ b/src/migration-scripts/sstp/0-to-1 @@ -20,6 +20,7 @@ # - migrate RADIUS configuration to a more uniform syntax accross the system # - authentication radius-server x.x.x.x to authentication radius server x.x.x.x # - authentication radius-settings to authentication radius +# - do not migrate radius server req-limit, use default of unlimited import os import sys @@ -101,10 +102,6 @@ else: tmp = config.return_value(base + ['fail-time']) config.set(new + ['fail-time'], value=tmp) - if config.exists(base + ['req-limit']): - tmp = config.return_value(base + ['req-limit']) - config.set(new + ['req-limit'], value=tmp) - config.set_tag(new_base + ['authentication', 'radius', 'server']) config.delete(radius_server) -- cgit v1.2.3 From 95c42faa4436c5dd761049a8a6e75996c815cc2c Mon Sep 17 00:00:00 2001 From: Christian Poessinger Date: Fri, 20 Mar 2020 23:22:09 +0100 Subject: sstp: T2008: migrate SSL certificate nodes --- interface-definitions/vpn-sstp.xml.in | 55 +++++++++++++++-------------------- src/conf_mode/vpn_sstp.py | 14 ++++----- src/migration-scripts/sstp/0-to-1 | 17 +++++++++++ 3 files changed, 48 insertions(+), 38 deletions(-) (limited to 'src/migration-scripts') diff --git a/interface-definitions/vpn-sstp.xml.in b/interface-definitions/vpn-sstp.xml.in index cf864b069..59aae9f7f 100644 --- a/interface-definitions/vpn-sstp.xml.in +++ b/interface-definitions/vpn-sstp.xml.in @@ -252,42 +252,35 @@ - + - SSTP settings + SSL Certificate, SSL Key and CA (/config/user-data/sstp) - + - SSL Certificate, SSL Key and CA (/config/user-data/sstp) + Certificate Authority certificate + + + - - - - Certificate Authority certificate - - - - - - - - Server Certificate - - - - - - - - Privat Key of the Server Certificate - - - - - - - + + + + Server Certificate + + + + + + + + Privat Key of the Server Certificate + + + + + diff --git a/src/conf_mode/vpn_sstp.py b/src/conf_mode/vpn_sstp.py index 09de7d112..a2e7c9327 100755 --- a/src/conf_mode/vpn_sstp.py +++ b/src/conf_mode/vpn_sstp.py @@ -373,15 +373,15 @@ def get_config(): # # read in SSL certs - conf.set_level(base_path + ['sstp-settings', 'ssl-certs']) - if conf.exists(['ca']): - sstp['ssl_ca'] = conf.return_value(['ca']) + conf.set_level(base_path + ['ssl']) + if conf.exists(['ca-cert-file']): + sstp['ssl_ca'] = conf.return_value(['ca-cert-file']) - if conf.exists(['server-cert']): - sstp['ssl_cert'] = conf.return_value(['server-cert']) + if conf.exists(['cert-file']): + sstp['ssl_cert'] = conf.return_value(['cert-file']) - if conf.exists(['server-key']): - sstp['ssl_key'] = conf.return_value(['server-key']) + if conf.exists(['key-file']): + sstp['ssl_key'] = conf.return_value(['key-file']) # diff --git a/src/migration-scripts/sstp/0-to-1 b/src/migration-scripts/sstp/0-to-1 index 2edf76a56..1d1bea51f 100755 --- a/src/migration-scripts/sstp/0-to-1 +++ b/src/migration-scripts/sstp/0-to-1 @@ -21,6 +21,7 @@ # - authentication radius-server x.x.x.x to authentication radius server x.x.x.x # - authentication radius-settings to authentication radius # - do not migrate radius server req-limit, use default of unlimited +# - migrate SSL certificate path import os import sys @@ -105,6 +106,22 @@ else: config.set_tag(new_base + ['authentication', 'radius', 'server']) config.delete(radius_server) + # migrate SSL certificates + old_ssl = new_base + ['sstp-settings', 'ssl-certs'] + new_ssl = new_base + ['ssl'] + config.copy(old_ssl, new_ssl) + config.delete(old_ssl) + + if config.exists(new_ssl + ['ca']): + config.rename(new_ssl + ['ca'], 'ca-cert-file') + + if config.exists(new_ssl + ['server-cert']): + config.rename(new_ssl + ['server-cert'], 'cert-file') + + if config.exists(new_ssl + ['server-key']): + config.rename(new_ssl + ['server-key'], 'key-file') + + try: with open(file_name, 'w') as f: f.write(config.to_string()) -- cgit v1.2.3