From mboxrd@z Thu Jan 1 00:00:00 1970 From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] ovpn.cnf: Removal of SKID & AKID from server section - Fixes Bug#13595 Date: Mon, 19 Feb 2024 15:16:32 +0100 Message-ID: <20240219141632.14939-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7051414617857181690==" List-Id: --===============7051414617857181690== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable - The update to openssl-3.2.x introduced a bug fix which now gives an error i= f the subjectKeyIdentifier (SKID) or authorityKeyIdentifier (AKID) is in the x50= 9 extensions for a CSR. - See the following discssion in the openssl github issues https://github.com/openssl/openssl/issues/22966#issuecomment-1858396738 - The SKID & AKID should never have been specified in the CSR but due to a bu= g they were never flagged with an error, just ignored. Since the bug fix for that bug = was put into OpenSSL-3.2.0 the prescence of the SKID & AKID in the CSR causes an error = to be flagged. - The consequence of this is that in CU183 trying to create a new x509 root/h= ost certificate gives an error when the CSR is generated so only the root cert= ificate is created and not the host certificate. - Tested out the removal of the SKID & AKID lines from the [ server ] section= of the ovpn.cnf file and the root/host certificate set was created without any is= sue. - Then tested the creation of a RW client connection and that worked with no = problems. Also creating a fresh N2N connection worked without any problems. - Also tested restoring from an earlier backup. The RW and N2N connections wo= rked without issues with the AKID and SKID missing from the [ server ] section. - It would be good if this could be merged into CU184 for final testing. Fixes: Bug#13595 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- config/ovpn/openssl/ovpn.cnf | 3 --- 1 file changed, 3 deletions(-) diff --git a/config/ovpn/openssl/ovpn.cnf b/config/ovpn/openssl/ovpn.cnf index 96c3dcb09..bfa7ad744 100644 --- a/config/ovpn/openssl/ovpn.cnf +++ b/config/ovpn/openssl/ovpn.cnf @@ -79,13 +79,10 @@ extendedKeyUsage =3D clientAuth keyUsage =3D digitalSignature =20 [ server ] - # JY ADDED -- Make a cert with nsCertType set to "server" basicConstraints =3D CA:FALSE nsCertType =3D server nsComment =3D "OpenSSL Generated Server Certificate" -subjectKeyIdentifier =3D hash -authorityKeyIdentifier =3D keyid,issuer:always=20 extendedKeyUsage =3D serverAuth keyUsage =3D digitalSignature, keyEncipherment =20 --=20 2.43.2 --===============7051414617857181690==--