Fix PKCS#12 mobileconfig installation errors when using openssl version > 3 (trailofbits#14558) #14622
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Check the openssl version and add -legacy flag for newer versions when working with pkcs#12 files. Original fix by https://github.com/omgagg/algo/tree/custom was updated to use a shell script to get the version. This fixes #14558
Description
In
roles/strongswan/tasks/openssl.yml
, get the version of openssl, set as a fact. In subsequent openssl tasks related to the pkcs#12 certs, if the version > 3, then add the -legacy flag, as described in [https://www.openssl.org/docs/man3.0/man1/openssl-pkcs12.html](the OpenSSL documentation).Motivation and Context
Per #14558, with newer versions of OpenSSL, the mobileconfig files created could not be installed on MacOS or iOS devices (untested on Android or Windows), with the process faling with an authentication error. By addeing the -legacy flag to the OpenSSL commands, the certs can be installed.
How Has This Been Tested?
Changes have only been manually tested when running algo in a docker instance, and only when building to EC2 targets.
Due to a lack of resources, I can't easily test in other situations.
docker build . -name custom/algo:latest
docs/deploy-from-docker.md
ipsec/apple/laptop.mobileconfig
file to MacOS (double-click)ipsec/apple/iphone.mobileconfig
file to iPhoneipsec/apple/desktop.mobileconfig
file to iPadTypes of changes
Checklist: