Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v3.2.0-beta2 #1055

Merged
merged 31 commits into from
Jan 13, 2024
Merged

v3.2.0-beta2 #1055

merged 31 commits into from
Jan 13, 2024

Conversation

TinCanTech
Copy link
Collaborator

@TinCanTech TinCanTech commented Jan 2, 2024

Important changes:

@TinCanTech TinCanTech self-assigned this Jan 2, 2024
@TinCanTech TinCanTech added this to the v3.2.0 milestone Jan 2, 2024
This changes default behavior from NEVER setting a friendlyName
to ALWAYS setting friendlyName to the file-name-base.

The friendlyName is "typically displayed in list boxes by software
importing the file".

Having Easy-RSA populate this field with known values, which do not
leak excess information, is considered to be appropriate.

An alternate friendlyName can be configured by using:
* Global option '--usefn=<friendlyName>'

Fallback to previous behavior can be configured by using:
* Command option 'nofn' ('friendlyname' will not be set)

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech changed the title README.md: Update branch structure - V2 v3.2.0-beta2 Jan 2, 2024
@TinCanTech TinCanTech linked an issue Jan 2, 2024 that may be closed by this pull request
TinCanTech and others added 5 commits January 3, 2024 00:31
Also, improve current v3.2.0 details by replacing single pull-request
ID with shortened commit hash for each ChangeLog item.

Signed-off-by: Richard T Bonhomme <[email protected]>
Require OpenSSL v3 for use.

If used then add an extra error message, to clarify that SSL option
'-legacy' may not be supported by the SSL library in use.

Improve 'help' and Changelog details.

Signed-off-by: Richard T Bonhomme <[email protected]>
SSL option -days only configures certificate lifetime, it does not
apply to the life-time of a CRL. For a CRL SSL option -crldays is
required.

The script only succeeded before because openssl-easyrsa.cnf file
always configured "default_crl_days = $EASYRSA_CRL_DAYS".

Changing the function to use -crldays means that 'default_crl_days'
field can be removed from openssl-easyrsa.cnf file.

However, this change only removes 'default_crl_days' from the auto-
generated version of openssl-easyrsa.cnf - This means no changes
are required for packaging the SSL config file.

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech linked an issue Jan 5, 2024 that may be closed by this pull request
The SSL config file is always verified as present when
secure_session() is called, at the beginning of execution.

This change forces the use of a temp-file, containing the
current here-doc version of the SSL config file.

If the current, existing file is NOT recognised as a hash
identical file to either the release version or the here-doc
version, which can include new version hashes, then the file
is left in place and used.

Otherwise, if the current file is recognised then it will be
deleted and, from then on, a temp-file based on the here-doc
will always be used in future.

This approach also solves the problem of the unpopulated SSL
config file field 'default_days = $ENV::EASYRSA_CERT_EXPIRE'.

The solution here is to remove the unnecessary 'default_days'
definition. The 'default_days' field is always configured via
the command line.

Signed-off-by: Richard T Bonhomme <[email protected]>
The temp-session has been moved to temp-storage, so cannot be removed.

Signed-off-by: Richard T Bonhomme <[email protected]>
The reason for this is to allow signed certificates to be imported,
in order to create inline files for remote clients, who have sent
a CSR to the CA and received a signed certificate from the CA.

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech linked an issue Jan 6, 2024 that may be closed by this pull request
These flags should be set before selecting a vars file.

Set information about "no vars file selected" to verbose level.

Signed-off-by: Richard T Bonhomme <[email protected]>
This ensures command 'write' output will remain unpolluted by user
and diagnostic messages; Which allows for the raw command output to
be extenally redirected to a file.

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech linked an issue Jan 7, 2024 that may be closed by this pull request
This looks more intrusive than it really is.

The problem to solve is creating a openssl-easyrsa.cnf file
in the EASYRSA_TEMP_DIR, as a temp-file.

1.
Remove write_easyrsa_ssl_cnf_tmp() from secure_session():
This was not the correct place to create the SSL cnf file.

2.
make_safe_ssl(): pass parameters to 'easyrsa_openssl makesafeconf'

3.
Specify a new variable for the 'safe-ssl' file: $safe_target_file

3.a
If $safe_target_file is specified then send output to it.
Otherwise, send output to 'stdout' (As all other 'write' commands).

4.
Secure a temp-session, only if it has not been done before.

4.a
Create openssl-easyrsa.cnf (Temp), only if a secure session was
created above. Otherwise, this file has already been created.

5.
write_easyrsa_ssl_cnf_tmp:
Set OPENSSL_CONF=/dev/null for subshell use of raw SSL execution.

6.
Have legacy_files() require_pki=1 and verify_working_env().
Move '$legacy_file_over_write' confirmation to legacy_files()

7.
Change 'write safe-ssl' from fixed output to the same as all
other 'write' commands: output to 'stdout' or a predetermined
file-name in a user specified directory, eg:
- 'easyrsa write safe-ssl' or 'easyrsa write safe-ssl pki'

8.
Recatagorise 'write' as not requiring a PKI, because we may want
to output to 'stdout' without a working PKI.

9.
IMPORTANT: This is new for Easy-RSA, correct use of a temp-dir.

If a working temp-dir exists then create a temp-session
and openssl-easyrsa.cnf (Temp) file.

This decouples the default temp-dir from a default PKI.

Unrelated change:
- Change a 'print' to 'information' in --keep-tmp code.

Signed-off-by: Richard T Bonhomme <[email protected]>
There is now 'ssl-cnf' or 'safe-cnf'.

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech linked an issue Jan 9, 2024 that may be closed by this pull request
The temp-session is recreate for each record read, otherwise the
temp-file counter grows as the database grows.  This way, temp-files
are created as if each record is a separate instance of 'easyrsa'.

Recreate the openssl-easyrsa.cnf (Temp) when the temp-session
is recreated.

Signed-off-by: Richard T Bonhomme <[email protected]>
Move the creation of secure_session and openssl-easyrsa.cnf (Temp)
to verify_working_env(). Create a session and temp-file in the temp-dir
EASRSA_TEMP_DIR, provided that the directory exists.

By default, EASYRSA_TEMP_DIR is set to the current PKI but that can be
decoupled and command 'write' can be run without a PKI, so long as a
valid temp-dir exists.

Correction to error message about 'write <type>' being unknown.

Signed-off-by: Richard T Bonhomme <[email protected]>
Minor improvement to code: Expand short-circuit switch.

Signed-off-by: Richard T Bonhomme <[email protected]>
Commit 2a8c0de introduced "Delete existing openssl-easyrsa.cnf".

This commit changes from deleting the file to ignoring the file
and creating a drop-in temp-file but ONLY if the file is unchanged.

Signed-off-by: Richard T Bonhomme <[email protected]>
Commit 60216d5, partially revert 2a8c0de.

Signed-off-by: Richard T Bonhomme <[email protected]>
Allow easyrsa to find openssl-easyrsa.cnf in multiple locations.

Signed-off-by: Richard T Bonhomme <[email protected]>
Replaced by command 'write safe-cnf'

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech merged commit d51d79b into master Jan 13, 2024
3 checks passed
TinCanTech added a commit that referenced this pull request Feb 17, 2024
(#1055)

Further additions:
* Windows: Introduce 'Non-Admin' mode (c2823c4) (#1073)
* LibreSSL: Add fix for missing 'x509' option '-ext' (96dd959) (#1068)
* Variable heredoc expansion for SSL/Safe Config file (9c5d423) (#1064)

Signed-off-by: Richard T Bonhomme <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment