Reviewed-by: Michael Tremer michael.tremer@ipfire.org
I am not sure what I can say about this. I suppose it is another dirty fix that I would prefer not to have?
Thank you for investigating!
On 3 Jun 2023, at 15:05, Adolf Belka adolf.belka@ipfire.org wrote:
- The change to openssl-3.x results in the openssl commands that start with ca failing with the error message OpenSSL produced an error: <br>40E7B4719B730000:error:0700006C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:315:group=<NULL> name=unique_subject
- The fix for this is to include the unique_subject = yes line into /var/ipfire/certs/index.txt.attr
- Additionally, based on the learnings from bug#13137 on OpenVPN, any openssl commands dealing with pkcs12 (.p12) files that were created with openssl-1.1.1x fail when being accessed with openssl-3.x due to the no longer supported algorithm. These can be accessed if the -legacy option is added to every openssl command dealing with pkcs12
Fixes: Bug#13138 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org
html/cgi-bin/vpnmain.cgi | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-)
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 6c1fd4cf0..f2aeecdf9 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -193,7 +193,7 @@ sub cleanssldatabase { close FILE; } if (open(FILE, ">${General::swroot}/certs/index.txt.attr")) {
- print FILE "";
- print FILE "unique_subject = yes";
close FILE; } unlink ("${General::swroot}/certs/index.txt.old"); @@ -213,6 +213,7 @@ sub newcleanssldatabase { } if (! -s ">${General::swroot}/certs/index.txt.attr") { open(FILE, ">${General::swroot}/certs/index.txt.attr");
- print FILE "unique_subject = yes";
close(FILE); } unlink ("${General::swroot}/certs/index.txt.old"); @@ -907,7 +908,7 @@ END # Extract the CA certificate from the file &General::log("ipsec", "Extracting caroot from p12..."); if (open(STDIN, "-|")) {
- my $opt = " pkcs12 -cacerts -nokeys";
- my $opt = " pkcs12 -legacy -cacerts -nokeys";
$opt .= " -in $filename"; $opt .= " -out /tmp/newcacert"; $errormessage = &callssl ($opt); @@ -920,7 +921,7 @@ END if (!$errormessage) { &General::log("ipsec", "Extracting host cert from p12..."); if (open(STDIN, "-|")) {
- my $opt = " pkcs12 -clcerts -nokeys";
- my $opt = " pkcs12 -legacy -clcerts -nokeys";
$opt .= " -in $filename"; $opt .= " -out /tmp/newhostcert"; $errormessage = &callssl ($opt); @@ -934,7 +935,7 @@ END if (!$errormessage) { &General::log("ipsec", "Extracting private key from p12..."); if (open(STDIN, "-|")) {
- my $opt = " pkcs12 -nocerts -nodes";
- my $opt = " pkcs12 -legacy -nocerts -nodes";
$opt .= " -in $filename"; $opt .= " -out /tmp/newhostkey"; $errormessage = &callssl ($opt); @@ -1939,7 +1940,7 @@ END # Extract the CA certificate from the file &General::log("ipsec", "Extracting caroot from p12..."); if (open(STDIN, "-|")) {
- my $opt = " pkcs12 -cacerts -nokeys";
- my $opt = " pkcs12 -legacy -cacerts -nokeys";
$opt .= " -in $filename"; $opt .= " -out /tmp/newcacert"; $errormessage = &callssl ($opt); @@ -1952,7 +1953,7 @@ END if (!$errormessage) { &General::log("ipsec", "Extracting host cert from p12..."); if (open(STDIN, "-|")) {
- my $opt = " pkcs12 -clcerts -nokeys";
- my $opt = " pkcs12 -legacy -clcerts -nokeys";
$opt .= " -in $filename"; $opt .= " -out /tmp/newhostcert"; $errormessage = &callssl ($opt); @@ -2197,7 +2198,7 @@ END
# Create the pkcs12 file &General::log("ipsec", "Packing a pkcs12 file...");
- $opt = " pkcs12 -export";
- $opt = " pkcs12 -legacy -export";
$opt .= " -inkey ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; $opt .= " -name "$cgiparams{'NAME'}""; -- 2.40.1