-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
v3.2.0-beta2
#1055
Merged
Merged
v3.2.0-beta2
#1055
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Richard T Bonhomme <[email protected]>
This changes default behavior from NEVER setting a friendlyName to ALWAYS setting friendlyName to the file-name-base. The friendlyName is "typically displayed in list boxes by software importing the file". Having Easy-RSA populate this field with known values, which do not leak excess information, is considered to be appropriate. An alternate friendlyName can be configured by using: * Global option '--usefn=<friendlyName>' Fallback to previous behavior can be configured by using: * Command option 'nofn' ('friendlyname' will not be set) Signed-off-by: Richard T Bonhomme <[email protected]>
Signed-off-by: Richard T Bonhomme <[email protected]>
Also, improve current v3.2.0 details by replacing single pull-request ID with shortened commit hash for each ChangeLog item. Signed-off-by: Richard T Bonhomme <[email protected]>
Require OpenSSL v3 for use. If used then add an extra error message, to clarify that SSL option '-legacy' may not be supported by the SSL library in use. Improve 'help' and Changelog details. Signed-off-by: Richard T Bonhomme <[email protected]>
SSL option -days only configures certificate lifetime, it does not apply to the life-time of a CRL. For a CRL SSL option -crldays is required. The script only succeeded before because openssl-easyrsa.cnf file always configured "default_crl_days = $EASYRSA_CRL_DAYS". Changing the function to use -crldays means that 'default_crl_days' field can be removed from openssl-easyrsa.cnf file. However, this change only removes 'default_crl_days' from the auto- generated version of openssl-easyrsa.cnf - This means no changes are required for packaging the SSL config file. Signed-off-by: Richard T Bonhomme <[email protected]>
The SSL config file is always verified as present when secure_session() is called, at the beginning of execution. This change forces the use of a temp-file, containing the current here-doc version of the SSL config file. If the current, existing file is NOT recognised as a hash identical file to either the release version or the here-doc version, which can include new version hashes, then the file is left in place and used. Otherwise, if the current file is recognised then it will be deleted and, from then on, a temp-file based on the here-doc will always be used in future. This approach also solves the problem of the unpopulated SSL config file field 'default_days = $ENV::EASYRSA_CERT_EXPIRE'. The solution here is to remove the unnecessary 'default_days' definition. The 'default_days' field is always configured via the command line. Signed-off-by: Richard T Bonhomme <[email protected]>
Signed-off-by: Richard T Bonhomme <[email protected]>
The temp-session has been moved to temp-storage, so cannot be removed. Signed-off-by: Richard T Bonhomme <[email protected]>
This was
linked to
issues
Jan 6, 2024
Signed-off-by: Richard T Bonhomme <[email protected]>
The reason for this is to allow signed certificates to be imported, in order to create inline files for remote clients, who have sent a CSR to the CA and received a signed certificate from the CA. Signed-off-by: Richard T Bonhomme <[email protected]>
Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech
force-pushed
the
v3.2.0-beta2
branch
from
January 6, 2024 19:14
ccc8fbf
to
6c47f7a
Compare
Signed-off-by: Richard T Bonhomme <[email protected]>
These flags should be set before selecting a vars file. Set information about "no vars file selected" to verbose level. Signed-off-by: Richard T Bonhomme <[email protected]>
This ensures command 'write' output will remain unpolluted by user and diagnostic messages; Which allows for the raw command output to be extenally redirected to a file. Signed-off-by: Richard T Bonhomme <[email protected]>
Signed-off-by: Richard T Bonhomme <[email protected]>
Signed-off-by: Richard T Bonhomme <[email protected]>
This looks more intrusive than it really is. The problem to solve is creating a openssl-easyrsa.cnf file in the EASYRSA_TEMP_DIR, as a temp-file. 1. Remove write_easyrsa_ssl_cnf_tmp() from secure_session(): This was not the correct place to create the SSL cnf file. 2. make_safe_ssl(): pass parameters to 'easyrsa_openssl makesafeconf' 3. Specify a new variable for the 'safe-ssl' file: $safe_target_file 3.a If $safe_target_file is specified then send output to it. Otherwise, send output to 'stdout' (As all other 'write' commands). 4. Secure a temp-session, only if it has not been done before. 4.a Create openssl-easyrsa.cnf (Temp), only if a secure session was created above. Otherwise, this file has already been created. 5. write_easyrsa_ssl_cnf_tmp: Set OPENSSL_CONF=/dev/null for subshell use of raw SSL execution. 6. Have legacy_files() require_pki=1 and verify_working_env(). Move '$legacy_file_over_write' confirmation to legacy_files() 7. Change 'write safe-ssl' from fixed output to the same as all other 'write' commands: output to 'stdout' or a predetermined file-name in a user specified directory, eg: - 'easyrsa write safe-ssl' or 'easyrsa write safe-ssl pki' 8. Recatagorise 'write' as not requiring a PKI, because we may want to output to 'stdout' without a working PKI. 9. IMPORTANT: This is new for Easy-RSA, correct use of a temp-dir. If a working temp-dir exists then create a temp-session and openssl-easyrsa.cnf (Temp) file. This decouples the default temp-dir from a default PKI. Unrelated change: - Change a 'print' to 'information' in --keep-tmp code. Signed-off-by: Richard T Bonhomme <[email protected]>
There is now 'ssl-cnf' or 'safe-cnf'. Signed-off-by: Richard T Bonhomme <[email protected]>
Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech
force-pushed
the
v3.2.0-beta2
branch
from
January 9, 2024 01:57
57044d9
to
bd6ccf9
Compare
Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech
force-pushed
the
v3.2.0-beta2
branch
from
January 9, 2024 02:03
bd6ccf9
to
906b737
Compare
The temp-session is recreate for each record read, otherwise the temp-file counter grows as the database grows. This way, temp-files are created as if each record is a separate instance of 'easyrsa'. Recreate the openssl-easyrsa.cnf (Temp) when the temp-session is recreated. Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech
force-pushed
the
v3.2.0-beta2
branch
from
January 9, 2024 19:18
fd5e125
to
be2f4e8
Compare
Move the creation of secure_session and openssl-easyrsa.cnf (Temp) to verify_working_env(). Create a session and temp-file in the temp-dir EASRSA_TEMP_DIR, provided that the directory exists. By default, EASYRSA_TEMP_DIR is set to the current PKI but that can be decoupled and command 'write' can be run without a PKI, so long as a valid temp-dir exists. Correction to error message about 'write <type>' being unknown. Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech
force-pushed
the
v3.2.0-beta2
branch
from
January 9, 2024 19:30
be2f4e8
to
edb1ffb
Compare
Minor improvement to code: Expand short-circuit switch. Signed-off-by: Richard T Bonhomme <[email protected]>
Signed-off-by: Richard T Bonhomme <[email protected]>
Commit 2a8c0de introduced "Delete existing openssl-easyrsa.cnf". This commit changes from deleting the file to ignoring the file and creating a drop-in temp-file but ONLY if the file is unchanged. Signed-off-by: Richard T Bonhomme <[email protected]>
Commit 60216d5, partially revert 2a8c0de. Signed-off-by: Richard T Bonhomme <[email protected]>
Allow easyrsa to find openssl-easyrsa.cnf in multiple locations. Signed-off-by: Richard T Bonhomme <[email protected]>
Signed-off-by: Richard T Bonhomme <[email protected]>
Replaced by command 'write safe-cnf' Signed-off-by: Richard T Bonhomme <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Important changes:
openssl-easyrsa.cnf
- All comands. 2a8c0deThis does not delete default
openssl-easyrsa.cnf
.export-p12
: Always setfriendlyName
field. da9e594export-p12
: New command optionlegacy
- Fallback to old algorithms. f8514de--enddate
openssl execution fails when --enddate is used #1056gen-crl
gen-crl
should use-crldays
not-days
#1059make-safe-ssl
c814e0a