v3.2.0-beta2
#1055
Merged
v3.2.0-beta2
#1055
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This changes default behavior from NEVER setting a friendlyName
to ALWAYS setting friendlyName to the file-name-base.
The friendlyName is "typically displayed in list boxes by software
importing the file".
Having Easy-RSA populate this field with known values, which do not
leak excess information, is considered to be appropriate.
An alternate friendlyName can be configured by using:
* Global option '--usefn=<friendlyName>'
Fallback to previous behavior can be configured by using:
* Command option 'nofn' ('friendlyname' will not be set)
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Also, improve current v3.2.0 details by replacing single pull-request ID with shortened commit hash for each ChangeLog item. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Require OpenSSL v3 for use. If used then add an extra error message, to clarify that SSL option '-legacy' may not be supported by the SSL library in use. Improve 'help' and Changelog details. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
SSL option -days only configures certificate lifetime, it does not apply to the life-time of a CRL. For a CRL SSL option -crldays is required. The script only succeeded before because openssl-easyrsa.cnf file always configured "default_crl_days = $EASYRSA_CRL_DAYS". Changing the function to use -crldays means that 'default_crl_days' field can be removed from openssl-easyrsa.cnf file. However, this change only removes 'default_crl_days' from the auto- generated version of openssl-easyrsa.cnf - This means no changes are required for packaging the SSL config file. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The SSL config file is always verified as present when secure_session() is called, at the beginning of execution. This change forces the use of a temp-file, containing the current here-doc version of the SSL config file. If the current, existing file is NOT recognised as a hash identical file to either the release version or the here-doc version, which can include new version hashes, then the file is left in place and used. Otherwise, if the current file is recognised then it will be deleted and, from then on, a temp-file based on the here-doc will always be used in future. This approach also solves the problem of the unpopulated SSL config file field 'default_days = $ENV::EASYRSA_CERT_EXPIRE'. The solution here is to remove the unnecessary 'default_days' definition. The 'default_days' field is always configured via the command line. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The temp-session has been moved to temp-storage, so cannot be removed. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This was
linked to
issues
Jan 6, 2024
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The reason for this is to allow signed certificates to be imported, in order to create inline files for remote clients, who have sent a CSR to the CA and received a signed certificate from the CA. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
TinCanTech
force-pushed
the
v3.2.0-beta2
branch
from
ccc8fbf
to
6c47f7a
Compare
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
These flags should be set before selecting a vars file. Set information about "no vars file selected" to verbose level. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This ensures command 'write' output will remain unpolluted by user and diagnostic messages; Which allows for the raw command output to be extenally redirected to a file. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This looks more intrusive than it really is. The problem to solve is creating a openssl-easyrsa.cnf file in the EASYRSA_TEMP_DIR, as a temp-file. 1. Remove write_easyrsa_ssl_cnf_tmp() from secure_session(): This was not the correct place to create the SSL cnf file. 2. make_safe_ssl(): pass parameters to 'easyrsa_openssl makesafeconf' 3. Specify a new variable for the 'safe-ssl' file: $safe_target_file 3.a If $safe_target_file is specified then send output to it. Otherwise, send output to 'stdout' (As all other 'write' commands). 4. Secure a temp-session, only if it has not been done before. 4.a Create openssl-easyrsa.cnf (Temp), only if a secure session was created above. Otherwise, this file has already been created. 5. write_easyrsa_ssl_cnf_tmp: Set OPENSSL_CONF=/dev/null for subshell use of raw SSL execution. 6. Have legacy_files() require_pki=1 and verify_working_env(). Move '$legacy_file_over_write' confirmation to legacy_files() 7. Change 'write safe-ssl' from fixed output to the same as all other 'write' commands: output to 'stdout' or a predetermined file-name in a user specified directory, eg: - 'easyrsa write safe-ssl' or 'easyrsa write safe-ssl pki' 8. Recatagorise 'write' as not requiring a PKI, because we may want to output to 'stdout' without a working PKI. 9. IMPORTANT: This is new for Easy-RSA, correct use of a temp-dir. If a working temp-dir exists then create a temp-session and openssl-easyrsa.cnf (Temp) file. This decouples the default temp-dir from a default PKI. Unrelated change: - Change a 'print' to 'information' in --keep-tmp code. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
There is now 'ssl-cnf' or 'safe-cnf'. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
TinCanTech
force-pushed
the
v3.2.0-beta2
branch
from
57044d9
to
bd6ccf9
Compare
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
TinCanTech
force-pushed
the
v3.2.0-beta2
branch
from
bd6ccf9
to
906b737
Compare
The temp-session is recreate for each record read, otherwise the temp-file counter grows as the database grows. This way, temp-files are created as if each record is a separate instance of 'easyrsa'. Recreate the openssl-easyrsa.cnf (Temp) when the temp-session is recreated. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
TinCanTech
force-pushed
the
v3.2.0-beta2
branch
from
fd5e125
to
be2f4e8
Compare
Move the creation of secure_session and openssl-easyrsa.cnf (Temp) to verify_working_env(). Create a session and temp-file in the temp-dir EASRSA_TEMP_DIR, provided that the directory exists. By default, EASYRSA_TEMP_DIR is set to the current PKI but that can be decoupled and command 'write' can be run without a PKI, so long as a valid temp-dir exists. Correction to error message about 'write <type>' being unknown. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
TinCanTech
force-pushed
the
v3.2.0-beta2
branch
from
be2f4e8
to
edb1ffb
Compare
Minor improvement to code: Expand short-circuit switch. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Commit 2a8c0de introduced "Delete existing openssl-easyrsa.cnf". This commit changes from deleting the file to ignoring the file and creating a drop-in temp-file but ONLY if the file is unchanged. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Allow easyrsa to find openssl-easyrsa.cnf in multiple locations. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Replaced by command 'write safe-cnf' Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Important changes:
openssl-easyrsa.cnf- All comands. 2a8c0deThis does not delete default
openssl-easyrsa.cnf.export-p12: Always setfriendlyNamefield. da9e594export-p12: New command optionlegacy- Fallback to old algorithms. f8514de--enddateopenssl execution fails when --enddate is used #1056gen-crlgen-crlshould use-crldaysnot-days#1059make-safe-sslc814e0a