Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduce Global Safe SSL config and Local SSL config #1163

Merged

Conversation

TinCanTech
Copy link
Collaborator

The global safe SSL config is used by ancillary commands, such as 'vefiry_file()' and 'display_dn()', when no other SSL config has been created so far.

The global safe SSL config is created with all env-vars fully expanded, which allows this file to be used by any SSL library.

The local SSL config is used by commands that build X509 files, such as build-ca and gen-req. This file is created per command.

The local SSL config is created as per the requirements of the SSL library in use. eg. OpenSSL:Unexpanded, LibreSSL:Expanded.

The local SSL config is the file which is edited by commands, which insert data, such as "copy_extensions = copy" --copy-ext.

The local file is tracked via EASYRSA_SSL_CONF. Calling command easyrsa_openssl() finally sets OPENSSL_CONF to EASYRSA_SSL_CONF.

The global file is not tracked, it is only used when no local file has been created. OPENSSL_CONF is set to the global file, by default, from the start.

The global safe SSL config is used by ancillary commands, such as
'vefiry_file()' and 'display_dn()', when no other SSL config has
been created so far.

The global safe SSL config is created with all env-vars fully
expanded, which allows this file to be used by any SSL library.

The local SSL config is used by commands that build X509 files,
such as build-ca and gen-req. This file is created per command.

The local SSL config is created as per the requirements of the
SSL library in use. eg. OpenSSL:Unexpanded, LibreSSL:Expanded.

The local SSL config is the file which is edited by commands,
which insert data, such as "copy_extensions = copy" --copy-ext.

The local file is tracked via EASYRSA_SSL_CONF. Calling command
easyrsa_openssl() finally sets OPENSSL_CONF to EASYRSA_SSL_CONF.

The global file is not tracked, it is only used when no local
file has been created. OPENSSL_CONF is set to the global file,
by default, from the start.

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech self-assigned this Jun 5, 2024
@TinCanTech TinCanTech added the development Possible changes label Jun 5, 2024
@TinCanTech TinCanTech linked an issue Jun 5, 2024 that may be closed by this pull request
This allows an old openssl-easyrsa.cnf (installed) to be fully expanded
for LibreSSL when the script tries to create an SSL config temp-file.

If the file in place is not recognised then it will be 'sed' expanded,
for either LibreSSL or EASYRSA_FORCE_SAFE_SSL.

Signed-off-by: Richard T Bonhomme <[email protected]>
This switch was used to allow 'sed' expansion of openssl-easyrsa.cnf
to a "safe" config file, instead of the preferred here-doc expansion.

This is no longer required.

Instead of expanding the SSL config file at the last moment, before
calling the SSL command to complete the EasyRSA command, expansion
takes place at the beginning, when the file is first found/created.

In the case of 'found', it is required to use 'sed' to expand any
file which is not recognised by SHA256 hash. If recognised then the
file in place is ignored and a here-doc expansion is used to create
a Safe SSL config.

In the case of created, that is always done from here-doc expansion.

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech linked an issue Jun 5, 2024 that may be closed by this pull request
Keeping EASYRSA_SSL_CONF separate from OPENSSL_CONF, until OPENSSL_CONF
is required by easyrsa_openssl(), allows each file to be independently
created, so that their existence does not interfere with each other.

Correct the type of SSL config created for write_easyrsa_ssl_cnf_tmp()
(Simple and annoying over-sight).

Correct some verbose output.

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech force-pushed the refactor-ssl-cnf-here-doc-expansion branch from efc9ac2 to 5343fbb Compare June 7, 2024 18:19
Move the control to verify_ssl_lib(), where ssl_cnf_type is defined.
ssl_cnf_type can be considered as read-only.

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech added this to the v3.2.1 milestone Jun 8, 2024
@TinCanTech TinCanTech merged commit 477725a into OpenVPN:master Jun 8, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

sign-req: --cop-ext is removed by --force-safe-ssl Outline use and expansion of openssl-easyrsa.cnf
1 participant