This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via ad37110f6ee24d5035d12c49f53b65b90fb3c921 (commit)
via 1ed2ed6310a80510304af993b68c35060731ceff (commit)
via d545c338f0d14ecec48623e15efc1c28b44cbce7 (commit)
via 73363b89bc6cb1749b83fb42e4f55d960f974f26 (commit)
via 04acd0b7ce1ffaa36641344d49199256956f3973 (commit)
via 4697a1f7f73a5f7ba869c8ad2ce267bd6d65fcc5 (commit)
via 51c8b155d1b888f45b234b86cb67b58512853294 (commit)
from 98278fef4c3321387c1673bddaa652fb0adb922d (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit ad37110f6ee24d5035d12c49f53b65b90fb3c921
Merge: 98278fef4c 1ed2ed6310
Author: Arne Fitzenreiter <arne_f(a)ipfire.org>
Date: Fri Jun 14 07:29:22 2024 +0200
Merge remote-tracking branch 'origin/master' into next
-----------------------------------------------------------------------
Summary of changes:
config/ovpn/openvpn-crl-updater | 3 +--
config/rootfiles/common/openssl | 5 +++++
config/rootfiles/common/openvpn | 2 +-
config/rootfiles/oldcore/186/filelists/files | 2 ++
.../rootfiles/oldcore/{100 => 186}/filelists/openssl | 0
config/rootfiles/oldcore/186/update.sh | 4 ++--
html/cgi-bin/ovpnmain.cgi | 20 ++++++++++----------
lfs/openssl | 4 ++--
lfs/openvpn | 6 ++++++
9 files changed, 29 insertions(+), 17 deletions(-)
copy config/rootfiles/oldcore/{100 => 186}/filelists/openssl (100%)
Difference in files:
diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater
index 5fbe21080..5008d6725 100644
--- a/config/ovpn/openvpn-crl-updater
+++ b/config/ovpn/openvpn-crl-updater
@@ -43,7 +43,6 @@ OVPN="/var/ipfire/ovpn"
CRL="${OVPN}/crls/cacrl.pem"
CAKEY="${OVPN}/ca/cakey.pem"
CACERT="${OVPN}/ca/cacert.pem"
-OPENSSLCONF="${OVPN}/openssl/ovpn.cnf"
# Check if CRL is presant or if OpenVPN is active
if [ ! -e "${CAKEY}" ]; then
@@ -76,7 +75,7 @@ UPDATE="14"
## Mainpart
# Check if OpenVPNs CRL needs to be renewed
if [ ${NEXTUPDATE} -le ${UPDATE} ]; then
- if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then
+ if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then
logger -t openvpn "CRL has been updated"
else
logger -t openvpn "error: Could not update CRL"
diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl
index a3664a521..d5f4f3814 100644
--- a/config/rootfiles/common/openssl
+++ b/config/rootfiles/common/openssl
@@ -797,6 +797,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/doc/openssl/html/man3/SSL_set_incoming_stream_policy.html
#usr/share/doc/openssl/html/man3/SSL_set_retry_verify.html
#usr/share/doc/openssl/html/man3/SSL_set_session.html
+#usr/share/doc/openssl/html/man3/SSL_set_session_secret_cb.html
#usr/share/doc/openssl/html/man3/SSL_set_shutdown.html
#usr/share/doc/openssl/html/man3/SSL_set_verify_result.html
#usr/share/doc/openssl/html/man3/SSL_shutdown.html
@@ -966,6 +967,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/doc/openssl/html/man7/OSSL_PROVIDER-default.html
#usr/share/doc/openssl/html/man7/OSSL_PROVIDER-legacy.html
#usr/share/doc/openssl/html/man7/OSSL_PROVIDER-null.html
+#usr/share/doc/openssl/html/man7/OSSL_STORE-winstore.html
#usr/share/doc/openssl/html/man7/RAND.html
#usr/share/doc/openssl/html/man7/RSA-PSS.html
#usr/share/doc/openssl/html/man7/X25519.html
@@ -5515,6 +5517,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/SSL_set_security_level.3ossl
#usr/share/man/man3/SSL_set_session.3ossl
#usr/share/man/man3/SSL_set_session_id_context.3ossl
+#usr/share/man/man3/SSL_set_session_secret_cb.3ossl
#usr/share/man/man3/SSL_set_shutdown.3ossl
#usr/share/man/man3/SSL_set_split_send_fragment.3ossl
#usr/share/man/man3/SSL_set_srp_server_param.3ossl
@@ -6703,6 +6706,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/sk_TYPE_value.3ossl
#usr/share/man/man3/sk_TYPE_zero.3ossl
#usr/share/man/man3/ssl_ct_validation_cb.3ossl
+#usr/share/man/man3/tls_session_secret_cb_fn.3ossl
#usr/share/man/man5/config.5ossl
#usr/share/man/man5/fips_config.5ossl
#usr/share/man/man5/x509v3_config.5ossl
@@ -6828,6 +6832,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man7/OSSL_PROVIDER-default.7ossl
#usr/share/man/man7/OSSL_PROVIDER-legacy.7ossl
#usr/share/man/man7/OSSL_PROVIDER-null.7ossl
+#usr/share/man/man7/OSSL_STORE-winstore.7ossl
#usr/share/man/man7/RAND.7ossl
#usr/share/man/man7/RSA-PSS.7ossl
#usr/share/man/man7/RSA.7ossl
diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
index d9848a579..8a36d4bb4 100644
--- a/config/rootfiles/common/openvpn
+++ b/config/rootfiles/common/openvpn
@@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator
#usr/share/doc/openvpn/openvpn.8.html
#usr/share/man/man5/openvpn-examples.5
#usr/share/man/man8/openvpn.8
+usr/share/openvpn/ovpn.cnf
var/ipfire/ovpn/ca
var/ipfire/ovpn/caconfig
var/ipfire/ovpn/ccd
@@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial
var/ipfire/ovpn/crls
var/ipfire/ovpn/n2nconf
#var/ipfire/ovpn/openssl
-var/ipfire/ovpn/openssl/ovpn.cnf
var/ipfire/ovpn/openvpn-authenticator
var/ipfire/ovpn/ovpn-leases.db
var/ipfire/ovpn/ovpnconfig
diff --git a/config/rootfiles/oldcore/186/filelists/files b/config/rootfiles/oldcore/186/filelists/files
index 3f0d11ae2..0c4756337 100644
--- a/config/rootfiles/oldcore/186/filelists/files
+++ b/config/rootfiles/oldcore/186/filelists/files
@@ -12,8 +12,10 @@ etc/rc.d/init.d/grub-btrfsd
etc/rc.d/rc0.d/K01grub-btrfsd
etc/rc.d/rc3.d/S99grub-btrfsd
etc/rc.d/rc6.d/K01grub-btrfsd
+srv/web/ipfire/cgi-bin/ovpnmain.cgi
srv/web/ipfire/cgi-bin/vulnerabilities.cgi
usr/local/bin/ipsec-interfaces
usr/sbin/unbound-dhcp-leases-bridge
+usr/share/openvpn/ovpn.cnf
var/ipfire/header.pl
var/ipfire/ipblocklist/sources
diff --git a/config/rootfiles/oldcore/186/filelists/openssl b/config/rootfiles/oldcore/186/filelists/openssl
new file mode 120000
index 000000000..e011a9266
--- /dev/null
+++ b/config/rootfiles/oldcore/186/filelists/openssl
@@ -0,0 +1 @@
+../../../common/openssl
\ No newline at end of file
diff --git a/config/rootfiles/oldcore/186/update.sh b/config/rootfiles/oldcore/186/update.sh
index 5d7add89f..02f799af8 100644
--- a/config/rootfiles/oldcore/186/update.sh
+++ b/config/rootfiles/oldcore/186/update.sh
@@ -104,8 +104,8 @@ done
extract_files
# Remove files
-#rm -rvf \
-# /XXX
+rm -rvf \
+ /var/ipfire/ovpn/openssl
# update linker config
ldconfig
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index c92d0237d..f0172978f 100755
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -1836,7 +1836,7 @@ END
'-days', '999999', '-newkey', 'rsa:4096', '-sha512',
'-keyout', "${General::swroot}/ovpn/ca/cakey.pem",
'-out', "${General::swroot}/ovpn/ca/cacert.pem",
- '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
+ '-config', "/usr/share/openvpn/ovpn.cnf")) {
$errormessage = "$Lang::tr{'cant start openssl'}: $!";
goto ROOTCERT_ERROR;
}
@@ -1868,7 +1868,7 @@ END
'-keyout', "${General::swroot}/ovpn/certs/serverkey.pem",
'-out', "${General::swroot}/ovpn/certs/serverreq.pem",
'-extensions', 'server',
- '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) {
+ '-config', "/usr/share/openvpn/ovpn.cnf" )) {
$errormessage = "$Lang::tr{'cant start openssl'}: $!";
unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
@@ -1885,7 +1885,7 @@ END
'-in', "${General::swroot}/ovpn/certs/serverreq.pem",
'-out', "${General::swroot}/ovpn/certs/servercert.pem",
'-extensions', 'server',
- '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf");
+ '-config', "/usr/share/openvpn/ovpn.cnf");
if ($?) {
$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
unlink ("${General::swroot}/ovpn/ca/cakey.pem");
@@ -1904,7 +1904,7 @@ END
# System call is safe, because all arguments are passed as array.
system('/usr/bin/openssl', 'ca', '-gencrl',
'-out', "${General::swroot}/ovpn/crls/cacrl.pem",
- '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" );
+ '-config', "/usr/share/openvpn/ovpn.cnf" );
if ($?) {
$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
@@ -2426,8 +2426,8 @@ else
if ($confighash{$cgiparams{'KEY'}}) {
# Revoke certificate if certificate was deleted and rewrite the CRL
- &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
- &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
+ &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/share/openvpn/ovpn.cnf");
+ &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf");
###
# m.a.d net2net
@@ -2480,7 +2480,7 @@ else
&General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]");
delete $confighash{$cgiparams{'KEY'}};
- &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
+ &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf");
&General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
} else {
@@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
'-batch', '-notext',
'-in', $filename,
'-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
- '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
+ '-config', "/usr/share/openvpn/ovpn.cnf");
if ($?) {
$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
unlink ($filename);
@@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
'-newkey', 'rsa:4096',
'-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
'-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
- '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
+ '-config', "/usr/share/openvpn/ovpn.cnf")) {
$errormessage = "$Lang::tr{'cant start openssl'}: $!";
unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
@@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
'-batch', '-notext',
'-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
'-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
- '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
+ '-config', "/usr/share/openvpn/ovpn.cnf");
if ($?) {
$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
diff --git a/lfs/openssl b/lfs/openssl
index 695035742..d6f565df2 100644
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -24,7 +24,7 @@
include Config
-VER = 3.2.1
+VER = 3.2.2
THISAPP = openssl-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -72,7 +72,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 960222e0305166160e5ab000e29650b92063bf726551ee9ad46060166d99738d1e3a5b86fd28b14c8f4fb3a72f5aa70850defb87c02990acff3dbcbdac40b347
+$(DL_FILE)_BLAKE2 = f42d44f31dc9ccf26ffe1fdd4a0119506a211808f92e860a34118109eae2ee7bcb5b0f43cbdf9eb811cd185cb53e092e62d652f7c0c0ce55b13289f7489073c9
install : $(TARGET)
diff --git a/lfs/openvpn b/lfs/openvpn
index b71b4ccc9..b686cc930 100644
--- a/lfs/openvpn
+++ b/lfs/openvpn
@@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
chown root:root /etc/fcron.daily/openvpn-crl-updater
chmod 750 /etc/fcron.daily/openvpn-crl-updater
+ # Move the OpenSSL configuration file out of /var/ipfire
+ mkdir -pv /usr/share/openvpn
+ mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \
+ /usr/share/openvpn/
+ rmdir -v /var/ipfire/ovpn/openssl
+
# Install authenticator
install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \
/usr/sbin/openvpn-authenticator
hooks/post-receive
--
IPFire 2.x development tree