OpenVPN keys should allow a passphrase to be set on them.

[JonTheNiceGuy <jon@…>]

Currrently, the OpenVPN configuration files are supplied without a passphrase on the SSL keys. While this is fine for limited implementations, on a larger roll-out, this lack of basic security may compromise the supplied keys.

Sadly, I don't have to-hand the method of automatically defining this passphrase, but it was used successfully on the OpenVPN plugin for Webmin and I have seen it in other OpenVPN deployment scripts.

[matthijs]

I guess end-users can always set their own passphrases using the openssl tools, but that's hardly user-friendly. Setting a passphrases when generating the client config is probably a good idea.

[JonTheNiceGuy <jon@…>]

Here's the code I found from the Webmin module (written by  http://www.openit.it)

"openssl req -days ".$$info{'KEY_EXPIRE'}." -batch -new -keyout ".$dir.".key -out ".$dir.".csr -passout pass:\"".$$info{'KEY_PASSWD'}."\" -config ".$$info{'KEY_CONFIG'}

So, it looks like there's the switch we need: -passout pass:"password"

And, accordingly, at  http://www.openssl.org/docs/apps/openssl.html#PASS_PHRASE_ARGUMENTS is the text we need to know:

We can use

-passout pass:"a password" or -passout file:"/path/to/temp/file/or/fifo/containing/password" or echo "password" | openssl -passout stdin

[matthijs]

I added support for this in my local tree just now, I'll push that out to SVN this week.

[matthijs]

(In [2182]) luci-openvpn: Allow setting a passphrase for new clients.

Closes: #912