Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Simplify easyrsa_openssl() #749

Closed
TinCanTech opened this issue Nov 1, 2022 · 3 comments · Fixed by #807
Closed

Simplify easyrsa_openssl() #749

TinCanTech opened this issue Nov 1, 2022 · 3 comments · Fixed by #807

Comments

@TinCanTech
Copy link
Collaborator

TinCanTech commented Nov 1, 2022

Example:

  • If a PKI exists then always create a safe SSL config file.
    Use has-config to select when the config is required for an SSL command only.
@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Dec 2, 2022

Changes made so far have uncovered a problem.

Both LibreSSL and OpenSSL complain loudly when OPENSSL_CONF is set to a non-existent file.

This means, to stop the error messages, OPENSSL_CONF has to be set to a real config file.

Which means, for LibreSSL every call must have an fully expanded EasyRSA safe SSL config file.

Thus, easyrsa_openssl() does not need to distinguish between SSL commands that require a config and those that do not.

Instead:

  • Always generate a safe SSL config file.
  • Always set OPENSSL_CONF to the safe SSL config file.

@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Dec 2, 2022

It gets even worse ..

Some SSL commands do not support -config, however, OPENSSL_CONF is ALWAYS loaded ...

tct@home:~/git/easy-rsa/test/installed/test D$ /home/tct/openssl/openssl-3.0.3/apps/openssl rand -hex 4
57346213
tct@home:~/git/easy-rsa/test/installed/test D$ /home/tct/libressl/libressl-3.6.1/apps/openssl/openssl rand -hex 4
WARNING: can't open config file: /usr/local/etc/ssl/openssl.cnf
e5948d40

@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Dec 3, 2022

Hand-off regular/common subsidiary SSL commands to wrapper functions.

EG: Certificate serial-number and valid operational dates.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant