Modify

Opened 9 years ago

Closed 7 years ago

Last modified 5 years ago

#912 closed enhancement (fixed)

OpenVPN keys should allow a passphrase to be set on them.

Reported by: JonTheNiceGuy <jon@…> Owned by:
Priority: normal Milestone: Firmware 2.3.7.0
Component: fon-plugin-openvpn Version: 2.3.6.1 (Gari jr.)
Severity: normal
Cc: Hardware: both

Description

Currrently, the OpenVPN configuration files are supplied without a passphrase on the SSL keys. While this is fine for limited implementations, on a larger roll-out, this lack of basic security may compromise the supplied keys.

Sadly, I don't have to-hand the method of automatically defining this passphrase, but it was used successfully on the OpenVPN plugin for Webmin and I have seen it in other OpenVPN deployment scripts.

Attachments (0)

Change History (5)

comment:1 Changed 9 years ago by matthijs

  • Hardware changed from 2.0n (FON2300) to both
  • Milestone set to Firmware 2.3
  • Severity changed from unknown to normal
  • Status changed from new to confirmed

I guess end-users can always set their own passphrases using the openssl tools, but that's hardly user-friendly. Setting a passphrases when generating the client config is probably a good idea.

comment:2 Changed 9 years ago by JonTheNiceGuy <jon@…>

Here's the code I found from the Webmin module (written by http://www.openit.it)

"openssl req -days ".$$info{'KEY_EXPIRE'}." -batch -new -keyout ".$dir.".key -out ".$dir.".csr -passout pass:\"".$$info{'KEY_PASSWD'}."\" -config ".$$info{'KEY_CONFIG'}

So, it looks like there's the switch we need: -passout pass:"password"

And, accordingly, at http://www.openssl.org/docs/apps/openssl.html#PASS_PHRASE_ARGUMENTS is the text we need to know:

We can use

-passout pass:"a password" or -passout file:"/path/to/temp/file/or/fifo/containing/password" or echo "password" | openssl -passout stdin

comment:3 Changed 7 years ago by matthijs

  • Milestone changed from Firmware 2.3 to Firmware 2.3.7.0
  • Status changed from confirmed to testing-fix

I added support for this in my local tree just now, I'll push that out to SVN this week.

comment:4 Changed 7 years ago by matthijs

  • Resolution set to fixed
  • Status changed from testing-fix to closed

(In [2182]) luci-openvpn: Allow setting a passphrase for new clients.

Closes: #912

comment:5 Changed 5 years ago by RichardPt

At 18:17, it released the bad of 10,000 combat seats, then amounting to 300 dropped per sugar. https://my.swu.edu/ICS/icsfs/tabfen44.html?target=134be92b-f538-4328-842d-c9202bd3769d It can impair the advance and partial output of years, and increase the scarcity of rule life in infants.

Add Comment

Modify Ticket

Action
as closed The ticket will remain with no owner.
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.