From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH] vpnmain.cgi: Fixes bug#13138 - root/host certificate set fails to be created Date: Mon, 05 Jun 2023 11:34:56 +0100 Message-ID: In-Reply-To: <20230603140541.13834-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============9036500169155115227==" List-Id: --===============9036500169155115227== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Reviewed-by: Michael Tremer I am not sure what I can say about this. I suppose it is another dirty fix th= at I would prefer not to have? Thank you for investigating! > On 3 Jun 2023, at 15:05, Adolf Belka wrote: >=20 > - The change to openssl-3.x results in the openssl commands that start with= ca failing > with the error message > OpenSSL produced an error:
40E7B4719B730000:error:0700006C:configur= ation file > routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:315:group=3D<= NULL> > name=3Dunique_subject > - The fix for this is to include the unique_subject =3D yes line into > /var/ipfire/certs/index.txt.attr > - Additionally, based on the learnings from bug#13137 on OpenVPN, any opens= sl commands > dealing with pkcs12 (.p12) files that were created with openssl-1.1.1x fa= il when being > accessed with openssl-3.x due to the no longer supported algorithm. These= can be > accessed if the -legacy option is added to every openssl command dealing = with pkcs12 >=20 > Fixes: Bug#13138 > Tested-by: Adolf Belka > Signed-off-by: Adolf Belka > --- > html/cgi-bin/vpnmain.cgi | 15 ++++++++------- > 1 file changed, 8 insertions(+), 7 deletions(-) >=20 > diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi > index 6c1fd4cf0..f2aeecdf9 100644 > --- a/html/cgi-bin/vpnmain.cgi > +++ b/html/cgi-bin/vpnmain.cgi > @@ -193,7 +193,7 @@ sub cleanssldatabase { > close FILE; > } > if (open(FILE, ">${General::swroot}/certs/index.txt.attr")) { > - print FILE ""; > + print FILE "unique_subject =3D yes"; > close FILE; > } > unlink ("${General::swroot}/certs/index.txt.old"); > @@ -213,6 +213,7 @@ sub newcleanssldatabase { > } > if (! -s ">${General::swroot}/certs/index.txt.attr") { > open(FILE, ">${General::swroot}/certs/index.txt.attr"); > + print FILE "unique_subject =3D yes"; > close(FILE); > } > unlink ("${General::swroot}/certs/index.txt.old"); > @@ -907,7 +908,7 @@ END > # Extract the CA certificate from the file > &General::log("ipsec", "Extracting caroot from p12..."); > if (open(STDIN, "-|")) { > - my $opt =3D " pkcs12 -cacerts -nokeys"; > + my $opt =3D " pkcs12 -legacy -cacerts -nokeys"; > $opt .=3D " -in $filename"; > $opt .=3D " -out /tmp/newcacert"; > $errormessage =3D &callssl ($opt); > @@ -920,7 +921,7 @@ END > if (!$errormessage) { > &General::log("ipsec", "Extracting host cert from p12..."); > if (open(STDIN, "-|")) { > - my $opt =3D " pkcs12 -clcerts -nokeys"; > + my $opt =3D " pkcs12 -legacy -clcerts -nokeys"; > $opt .=3D " -in $filename"; > $opt .=3D " -out /tmp/newhostcert"; > $errormessage =3D &callssl ($opt); > @@ -934,7 +935,7 @@ END > if (!$errormessage) { > &General::log("ipsec", "Extracting private key from p12..."); > if (open(STDIN, "-|")) { > - my $opt =3D " pkcs12 -nocerts -nodes"; > + my $opt =3D " pkcs12 -legacy -nocerts -nodes"; > $opt .=3D " -in $filename"; > $opt .=3D " -out /tmp/newhostkey"; > $errormessage =3D &callssl ($opt); > @@ -1939,7 +1940,7 @@ END > # Extract the CA certificate from the file > &General::log("ipsec", "Extracting caroot from p12..."); > if (open(STDIN, "-|")) { > - my $opt =3D " pkcs12 -cacerts -nokeys"; > + my $opt =3D " pkcs12 -legacy -cacerts -nokeys"; > $opt .=3D " -in $filename"; > $opt .=3D " -out /tmp/newcacert"; > $errormessage =3D &callssl ($opt); > @@ -1952,7 +1953,7 @@ END > if (!$errormessage) { > &General::log("ipsec", "Extracting host cert from p12..."); > if (open(STDIN, "-|")) { > - my $opt =3D " pkcs12 -clcerts -nokeys"; > + my $opt =3D " pkcs12 -legacy -clcerts -nokeys"; > $opt .=3D " -in $filename"; > $opt .=3D " -out /tmp/newhostcert"; > $errormessage =3D &callssl ($opt); > @@ -2197,7 +2198,7 @@ END >=20 > # Create the pkcs12 file > &General::log("ipsec", "Packing a pkcs12 file..."); > - $opt =3D " pkcs12 -export"; > + $opt =3D " pkcs12 -legacy -export"; > $opt .=3D " -inkey ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; > $opt .=3D " -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; > $opt .=3D " -name \"$cgiparams{'NAME'}\""; > --=20 > 2.40.1 >=20 --===============9036500169155115227==--