From mboxrd@z Thu Jan  1 00:00:00 1970
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 2/2] ovpnmain.cgi: Fixes Bug#13117 - adds legacy option to
 openssl commands for cert & key extraction
Date: Sun, 21 May 2023 14:45:44 +0200
Message-ID: <20230521124544.3457345-2-adolf.belka@ipfire.org>
In-Reply-To: <20230521124544.3457345-1-adolf.belka@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2743417375260368214=="
List-Id: <development.lists.ipfire.org>

--===============2743417375260368214==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

- Any insecure connections made with openssl-3.x can have the cert and key ex=
tracted but
   if the insecure connection was made from prior to CU175 Testing then it us=
ed
   openssl-1.1.1 which causes an error under openssl-3.x due to the old versi=
on being able
   to accept older ciphers no longer accepted by openssl-3.x
- Adding the -legacy option to the openssl commands enables openssl-3.x to su=
ccessfully
   open them and extract the cert and key
- Successfully tested on a vm system. Confirmed that the downloaded version u=
nder
   openssl-3.x worked exactly the same as the version downloaded under openss=
l-1.1.1

Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 mode change 100644 =3D> 100755 html/cgi-bin/ovpnmain.cgi

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
old mode 100644
new mode 100755
index 50ad21e79..5b0accf3f
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -2227,7 +2227,7 @@ else
=20
 		# Extract the certificate
 		# This system call is safe, because all arguments are passed as an array.
-		system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs=
/$confighash{$cgiparams{'KEY'}}[1].p12",
+		system('/usr/bin/openssl', 'pkcs12', '-legacy', '-in', "${General::swroot}=
/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
 			'-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:'=
);
 		if ($?) {
 			die "openssl error: $?";
@@ -2238,7 +2238,7 @@ else
=20
 		# Extract the key
 		# This system call is safe, because all arguments are passed as an array.
-		system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs=
/$confighash{$cgiparams{'KEY'}}[1].p12",
+		system('/usr/bin/openssl', 'pkcs12', '-legacy', '-in', "${General::swroot}=
/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
 			'-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:');
 		if ($?) {
 			die "openssl error: $?";
--=20
2.40.1


--===============2743417375260368214==--