-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce Global Safe SSL config and Local SSL config #1163
Merged
TinCanTech
merged 12 commits into
OpenVPN:master
from
TinCanTech:refactor-ssl-cnf-here-doc-expansion
Jun 8, 2024
Merged
Introduce Global Safe SSL config and Local SSL config #1163
TinCanTech
merged 12 commits into
OpenVPN:master
from
TinCanTech:refactor-ssl-cnf-here-doc-expansion
Jun 8, 2024
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The global safe SSL config is used by ancillary commands, such as 'vefiry_file()' and 'display_dn()', when no other SSL config has been created so far. The global safe SSL config is created with all env-vars fully expanded, which allows this file to be used by any SSL library. The local SSL config is used by commands that build X509 files, such as build-ca and gen-req. This file is created per command. The local SSL config is created as per the requirements of the SSL library in use. eg. OpenSSL:Unexpanded, LibreSSL:Expanded. The local SSL config is the file which is edited by commands, which insert data, such as "copy_extensions = copy" --copy-ext. The local file is tracked via EASYRSA_SSL_CONF. Calling command easyrsa_openssl() finally sets OPENSSL_CONF to EASYRSA_SSL_CONF. The global file is not tracked, it is only used when no local file has been created. OPENSSL_CONF is set to the global file, by default, from the start. Signed-off-by: Richard T Bonhomme <[email protected]>
Signed-off-by: Richard T Bonhomme <[email protected]>
This allows an old openssl-easyrsa.cnf (installed) to be fully expanded for LibreSSL when the script tries to create an SSL config temp-file. If the file in place is not recognised then it will be 'sed' expanded, for either LibreSSL or EASYRSA_FORCE_SAFE_SSL. Signed-off-by: Richard T Bonhomme <[email protected]>
Signed-off-by: Richard T Bonhomme <[email protected]>
This switch was used to allow 'sed' expansion of openssl-easyrsa.cnf to a "safe" config file, instead of the preferred here-doc expansion. This is no longer required. Instead of expanding the SSL config file at the last moment, before calling the SSL command to complete the EasyRSA command, expansion takes place at the beginning, when the file is first found/created. In the case of 'found', it is required to use 'sed' to expand any file which is not recognised by SHA256 hash. If recognised then the file in place is ignored and a here-doc expansion is used to create a Safe SSL config. In the case of created, that is always done from here-doc expansion. Signed-off-by: Richard T Bonhomme <[email protected]>
Keeping EASYRSA_SSL_CONF separate from OPENSSL_CONF, until OPENSSL_CONF is required by easyrsa_openssl(), allows each file to be independently created, so that their existence does not interfere with each other. Correct the type of SSL config created for write_easyrsa_ssl_cnf_tmp() (Simple and annoying over-sight). Correct some verbose output. Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech
force-pushed
the
refactor-ssl-cnf-here-doc-expansion
branch
from
June 7, 2024 18:19
efc9ac2
to
5343fbb
Compare
Move the control to verify_ssl_lib(), where ssl_cnf_type is defined. ssl_cnf_type can be considered as read-only. Signed-off-by: Richard T Bonhomme <[email protected]>
Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech
added
EasyRSA-OpenSSL-Config
enhancement
easyrsa-tools.lib
Version 3.2.1-Release
and removed
development
Possible changes
labels
Jun 7, 2024
Signed-off-by: Richard T Bonhomme <[email protected]>
…ement Signed-off-by: Richard T Bonhomme <[email protected]>
Signed-off-by: Richard T Bonhomme <[email protected]>
Signed-off-by: Richard T Bonhomme <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The global safe SSL config is used by ancillary commands, such as 'vefiry_file()' and 'display_dn()', when no other SSL config has been created so far.
The global safe SSL config is created with all env-vars fully expanded, which allows this file to be used by any SSL library.
The local SSL config is used by commands that build X509 files, such as build-ca and gen-req. This file is created per command.
The local SSL config is created as per the requirements of the SSL library in use. eg. OpenSSL:Unexpanded, LibreSSL:Expanded.
The local SSL config is the file which is edited by commands, which insert data, such as "copy_extensions = copy" --copy-ext.
The local file is tracked via EASYRSA_SSL_CONF. Calling command easyrsa_openssl() finally sets OPENSSL_CONF to EASYRSA_SSL_CONF.
The global file is not tracked, it is only used when no local file has been created. OPENSSL_CONF is set to the global file, by default, from the start.