Re: [PATCH] vpnmain.cgi: Fixes bug#13138 - root/host certificate set fails to be created

public inbox for development@lists.ipfire.org
 help / color / mirror / Atom feed

From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] vpnmain.cgi: Fixes bug#13138 - root/host certificate set fails to be created
Date: Mon, 05 Jun 2023 11:34:56 +0100	[thread overview]
Message-ID: <EDDFDA11-1918-482C-B699-777FD0630F1D@ipfire.org> (raw)
In-Reply-To: <20230603140541.13834-1-adolf.belka@ipfire.org>

[-- Attachment #1: Type: text/plain, Size: 4161 bytes --]

Reviewed-by: Michael Tremer <michael.tremer(a)ipfire.org>

I am not sure what I can say about this. I suppose it is another dirty fix that I would prefer not to have?

Thank you for investigating!

> On 3 Jun 2023, at 15:05, Adolf Belka <adolf.belka(a)ipfire.org> wrote:
> 
> - The change to openssl-3.x results in the openssl commands that start with ca failing
>   with the error message
>     OpenSSL produced an error: <br>40E7B4719B730000:error:0700006C:configuration file
>     routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:315:group=<NULL>
>     name=unique_subject
> - The fix for this is to include the unique_subject = yes line into
>   /var/ipfire/certs/index.txt.attr
> - Additionally, based on the learnings from bug#13137 on OpenVPN, any openssl commands
>   dealing with pkcs12 (.p12) files that were created with openssl-1.1.1x fail when being
>   accessed with openssl-3.x due to the no longer supported algorithm. These can be
>   accessed if the -legacy option is added to every openssl command dealing with pkcs12
> 
> Fixes: Bug#13138
> Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
> html/cgi-bin/vpnmain.cgi | 15 ++++++++-------
> 1 file changed, 8 insertions(+), 7 deletions(-)
> 
> diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
> index 6c1fd4cf0..f2aeecdf9 100644
> --- a/html/cgi-bin/vpnmain.cgi
> +++ b/html/cgi-bin/vpnmain.cgi
> @@ -193,7 +193,7 @@ sub cleanssldatabase {
> close FILE;
> }
> if (open(FILE, ">${General::swroot}/certs/index.txt.attr")) {
> - print FILE "";
> + print FILE "unique_subject = yes";
> close FILE;
> }
> unlink ("${General::swroot}/certs/index.txt.old");
> @@ -213,6 +213,7 @@ sub newcleanssldatabase {
> }
> if (! -s ">${General::swroot}/certs/index.txt.attr") {
> open(FILE, ">${General::swroot}/certs/index.txt.attr");
> + print FILE "unique_subject = yes";
> close(FILE);
> }
> unlink ("${General::swroot}/certs/index.txt.old");
> @@ -907,7 +908,7 @@ END
> # Extract the CA certificate from the file
> &General::log("ipsec", "Extracting caroot from p12...");
> if (open(STDIN, "-|")) {
> - my $opt = " pkcs12 -cacerts -nokeys";
> + my $opt = " pkcs12 -legacy -cacerts -nokeys";
> $opt .= " -in $filename";
> $opt .= " -out /tmp/newcacert";
> $errormessage = &callssl ($opt);
> @@ -920,7 +921,7 @@ END
> if (!$errormessage) {
> &General::log("ipsec", "Extracting host cert from p12...");
> if (open(STDIN, "-|")) {
> - my $opt = " pkcs12 -clcerts -nokeys";
> + my $opt = " pkcs12 -legacy -clcerts -nokeys";
> $opt .= " -in $filename";
> $opt .= " -out /tmp/newhostcert";
> $errormessage = &callssl ($opt);
> @@ -934,7 +935,7 @@ END
> if (!$errormessage) {
> &General::log("ipsec", "Extracting private key from p12...");
> if (open(STDIN, "-|")) {
> - my $opt = " pkcs12 -nocerts -nodes";
> + my $opt = " pkcs12 -legacy -nocerts -nodes";
> $opt .= " -in $filename";
> $opt .= " -out /tmp/newhostkey";
> $errormessage = &callssl ($opt);
> @@ -1939,7 +1940,7 @@ END
> # Extract the CA certificate from the file
> &General::log("ipsec", "Extracting caroot from p12...");
> if (open(STDIN, "-|")) {
> - my $opt = " pkcs12 -cacerts -nokeys";
> + my $opt = " pkcs12 -legacy -cacerts -nokeys";
> $opt .= " -in $filename";
> $opt .= " -out /tmp/newcacert";
> $errormessage = &callssl ($opt);
> @@ -1952,7 +1953,7 @@ END
> if (!$errormessage) {
> &General::log("ipsec", "Extracting host cert from p12...");
> if (open(STDIN, "-|")) {
> - my $opt = " pkcs12 -clcerts -nokeys";
> + my $opt = " pkcs12 -legacy -clcerts -nokeys";
> $opt .= " -in $filename";
> $opt .= " -out /tmp/newhostcert";
> $errormessage = &callssl ($opt);
> @@ -2197,7 +2198,7 @@ END
> 
> # Create the pkcs12 file
> &General::log("ipsec", "Packing a pkcs12 file...");
> - $opt = " pkcs12 -export";
> + $opt = " pkcs12 -legacy -export";
> $opt .= " -inkey ${General::swroot}/certs/$cgiparams{'NAME'}key.pem";
> $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
> $opt .= " -name \"$cgiparams{'NAME'}\"";
> -- 
> 2.40.1
>

     prev parent reply	other threads:[~2023-06-05 10:34 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-03 14:05 Adolf Belka
2023-06-05 10:34 ` Michael Tremer [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=EDDFDA11-1918-482C-B699-777FD0630F1D@ipfire.org \
    --to=michael.tremer@ipfire.org \
    --cc=development@lists.ipfire.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox