[PATCH 1/2] openssl: Fix for Bug#13117 - adds legacy option in for openssl extraction of cert & key
- OpenSSL-3.x gives an error when trying to open insecure .p12 files to extract the cert and key for the insecure package download option. - To make this work the -legacy option is needed in the openssl command, which requires the legacy.so library to be available. - Successfully tested on a vm system. - Patch set built on Master (CU175 Testing)
Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- config/rootfiles/common/openssl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl index e29bc6dc1..44ae2cda9 100644 --- a/config/rootfiles/common/openssl +++ b/config/rootfiles/common/openssl @@ -160,7 +160,7 @@ usr/lib/libcrypto.so.3 usr/lib/libssl.so usr/lib/libssl.so.3 #usr/lib/ossl-modules -#usr/lib/ossl-modules/legacy.so +usr/lib/ossl-modules/legacy.so #usr/lib/pkgconfig/libcrypto.pc #usr/lib/pkgconfig/libssl.pc #usr/lib/pkgconfig/openssl.pc
- Any insecure connections made with openssl-3.x can have the cert and key extracted but if the insecure connection was made from prior to CU175 Testing then it used openssl-1.1.1 which causes an error under openssl-3.x due to the old version being able to accept older ciphers no longer accepted by openssl-3.x - Adding the -legacy option to the openssl commands enables openssl-3.x to successfully open them and extract the cert and key - Successfully tested on a vm system. Confirmed that the downloaded version under openssl-3.x worked exactly the same as the version downloaded under openssl-1.1.1
Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org --- html/cgi-bin/ovpnmain.cgi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) mode change 100644 => 100755 html/cgi-bin/ovpnmain.cgi
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi old mode 100644 new mode 100755 index 50ad21e79..5b0accf3f --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2227,7 +2227,7 @@ else
# Extract the certificate # This system call is safe, because all arguments are passed as an array. - system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", + system('/usr/bin/openssl', 'pkcs12', '-legacy', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:'); if ($?) { die "openssl error: $?"; @@ -2238,7 +2238,7 @@ else
# Extract the key # This system call is safe, because all arguments are passed as an array. - system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", + system('/usr/bin/openssl', 'pkcs12', '-legacy', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:'); if ($?) { die "openssl error: $?";
-
Adolf Belka