Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Always use locate_support_files() after secure_session() #1270

Merged
merged 7 commits into from
Dec 6, 2024

Conversation

TinCanTech
Copy link
Collaborator

@TinCanTech TinCanTech commented Dec 4, 2024

easyrsa:
Move locate_support_files() to the last command in verify_working_env(). This means that for single commands, locate_support_files() will find an existing 'openssl-easyrsa.cnf' file, after secure_session() has cleared '$EASYRSA_SSL_CONF' variable.

For build_full(), use locate_support_files() after secure_session(), during the phase between gen_req() and sign_req(), when the secure session is recreated.

easyrsa-tools.lib:
In read_db(), set the same order as above, between each record.

edit included in force push.

easyrsa:
Move locate_support_files() to the last command in verify_working_env().
This means that for single commands, locate_support_files() will find an
existing 'openssl-easyrsa.cnf' file, after secure_session() has cleared
'$EASYRSA_SSL_CONF' variable.

For build_full(), use locate_support_files() after secure_session(),
during the phase between gen_req() and sign_req(), when the secure
session is recreated.

easyrsa-tools.lib:
In read_db(), set the same order as above, between each record.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech TinCanTech force-pushed the bugfix-user-ssl-conf branch from bd4e73c to d693711 Compare December 4, 2024 22:39
@TinCanTech
Copy link
Collaborator Author

This fix does not honor --ssl-conf (Which should be renamed to --ssl-cnf).

@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Dec 4, 2024

The solution appears to be, an internal variable to track the changes made to openssl-easyrsa.cnf during operation, while preserving the original value for $EASYRSA_SSL_CONF.

Otherwise, some other insane scheme!

Compound function build_full() calls gen_req() then sign_req().
However, between the two, $EASYRSA_SSL_CONF is set to a temp-file,
which has now been deleted. This causes sign_req() to use a
different SSL config file than that used by gen_req().

Also, '--ssl-conf' is ignored when secure_session() clears
$EASYRSA_SSL_CONF.

This change saves the original setting for $EASYRSA_SSL_CONF,
which is then restored when remove_secure_session() is called.

Also, secure_session() no longer clears $EASYRSA_SSL_CONF,
preserving the setting of '--ssl-conf'.

This mechanism also covers easyrsa-tools.lib:read_db(),
which also resets the temporary session. This does not
require updating easyrsa-tool.lib version (@v322).

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Retain --ssl-conf for backward cmpatibility

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
To change a requested CN use option --new-subject not --req-cn.

Option --req-cn is reserved for use with commamd 'gen-req'.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech TinCanTech merged commit d21946a into OpenVPN:master Dec 6, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

User defined SSL config file is not used
1 participant