This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via ad37110f6ee24d5035d12c49f53b65b90fb3c921 (commit) via 1ed2ed6310a80510304af993b68c35060731ceff (commit) via d545c338f0d14ecec48623e15efc1c28b44cbce7 (commit) via 73363b89bc6cb1749b83fb42e4f55d960f974f26 (commit) via 04acd0b7ce1ffaa36641344d49199256956f3973 (commit) via 4697a1f7f73a5f7ba869c8ad2ce267bd6d65fcc5 (commit) via 51c8b155d1b888f45b234b86cb67b58512853294 (commit) from 98278fef4c3321387c1673bddaa652fb0adb922d (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit ad37110f6ee24d5035d12c49f53b65b90fb3c921 Merge: 98278fef4c 1ed2ed6310 Author: Arne Fitzenreiter arne_f@ipfire.org Date: Fri Jun 14 07:29:22 2024 +0200
Merge remote-tracking branch 'origin/master' into next
-----------------------------------------------------------------------
Summary of changes: config/ovpn/openvpn-crl-updater | 3 +-- config/rootfiles/common/openssl | 5 +++++ config/rootfiles/common/openvpn | 2 +- config/rootfiles/oldcore/186/filelists/files | 2 ++ .../rootfiles/oldcore/{100 => 186}/filelists/openssl | 0 config/rootfiles/oldcore/186/update.sh | 4 ++-- html/cgi-bin/ovpnmain.cgi | 20 ++++++++++---------- lfs/openssl | 4 ++-- lfs/openvpn | 6 ++++++ 9 files changed, 29 insertions(+), 17 deletions(-) copy config/rootfiles/oldcore/{100 => 186}/filelists/openssl (100%)
Difference in files: diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater index 5fbe21080..5008d6725 100644 --- a/config/ovpn/openvpn-crl-updater +++ b/config/ovpn/openvpn-crl-updater @@ -43,7 +43,6 @@ OVPN="/var/ipfire/ovpn" CRL="${OVPN}/crls/cacrl.pem" CAKEY="${OVPN}/ca/cakey.pem" CACERT="${OVPN}/ca/cacert.pem" -OPENSSLCONF="${OVPN}/openssl/ovpn.cnf"
# Check if CRL is presant or if OpenVPN is active if [ ! -e "${CAKEY}" ]; then @@ -76,7 +75,7 @@ UPDATE="14" ## Mainpart # Check if OpenVPNs CRL needs to be renewed if [ ${NEXTUPDATE} -le ${UPDATE} ]; then - if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then + if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then logger -t openvpn "CRL has been updated" else logger -t openvpn "error: Could not update CRL" diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl index a3664a521..d5f4f3814 100644 --- a/config/rootfiles/common/openssl +++ b/config/rootfiles/common/openssl @@ -797,6 +797,7 @@ usr/lib/ossl-modules/legacy.so #usr/share/doc/openssl/html/man3/SSL_set_incoming_stream_policy.html #usr/share/doc/openssl/html/man3/SSL_set_retry_verify.html #usr/share/doc/openssl/html/man3/SSL_set_session.html +#usr/share/doc/openssl/html/man3/SSL_set_session_secret_cb.html #usr/share/doc/openssl/html/man3/SSL_set_shutdown.html #usr/share/doc/openssl/html/man3/SSL_set_verify_result.html #usr/share/doc/openssl/html/man3/SSL_shutdown.html @@ -966,6 +967,7 @@ usr/lib/ossl-modules/legacy.so #usr/share/doc/openssl/html/man7/OSSL_PROVIDER-default.html #usr/share/doc/openssl/html/man7/OSSL_PROVIDER-legacy.html #usr/share/doc/openssl/html/man7/OSSL_PROVIDER-null.html +#usr/share/doc/openssl/html/man7/OSSL_STORE-winstore.html #usr/share/doc/openssl/html/man7/RAND.html #usr/share/doc/openssl/html/man7/RSA-PSS.html #usr/share/doc/openssl/html/man7/X25519.html @@ -5515,6 +5517,7 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/SSL_set_security_level.3ossl #usr/share/man/man3/SSL_set_session.3ossl #usr/share/man/man3/SSL_set_session_id_context.3ossl +#usr/share/man/man3/SSL_set_session_secret_cb.3ossl #usr/share/man/man3/SSL_set_shutdown.3ossl #usr/share/man/man3/SSL_set_split_send_fragment.3ossl #usr/share/man/man3/SSL_set_srp_server_param.3ossl @@ -6703,6 +6706,7 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man3/sk_TYPE_value.3ossl #usr/share/man/man3/sk_TYPE_zero.3ossl #usr/share/man/man3/ssl_ct_validation_cb.3ossl +#usr/share/man/man3/tls_session_secret_cb_fn.3ossl #usr/share/man/man5/config.5ossl #usr/share/man/man5/fips_config.5ossl #usr/share/man/man5/x509v3_config.5ossl @@ -6828,6 +6832,7 @@ usr/lib/ossl-modules/legacy.so #usr/share/man/man7/OSSL_PROVIDER-default.7ossl #usr/share/man/man7/OSSL_PROVIDER-legacy.7ossl #usr/share/man/man7/OSSL_PROVIDER-null.7ossl +#usr/share/man/man7/OSSL_STORE-winstore.7ossl #usr/share/man/man7/RAND.7ossl #usr/share/man/man7/RSA-PSS.7ossl #usr/share/man/man7/RSA.7ossl diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn index d9848a579..8a36d4bb4 100644 --- a/config/rootfiles/common/openvpn +++ b/config/rootfiles/common/openvpn @@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator #usr/share/doc/openvpn/openvpn.8.html #usr/share/man/man5/openvpn-examples.5 #usr/share/man/man8/openvpn.8 +usr/share/openvpn/ovpn.cnf var/ipfire/ovpn/ca var/ipfire/ovpn/caconfig var/ipfire/ovpn/ccd @@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial var/ipfire/ovpn/crls var/ipfire/ovpn/n2nconf #var/ipfire/ovpn/openssl -var/ipfire/ovpn/openssl/ovpn.cnf var/ipfire/ovpn/openvpn-authenticator var/ipfire/ovpn/ovpn-leases.db var/ipfire/ovpn/ovpnconfig diff --git a/config/rootfiles/oldcore/186/filelists/files b/config/rootfiles/oldcore/186/filelists/files index 3f0d11ae2..0c4756337 100644 --- a/config/rootfiles/oldcore/186/filelists/files +++ b/config/rootfiles/oldcore/186/filelists/files @@ -12,8 +12,10 @@ etc/rc.d/init.d/grub-btrfsd etc/rc.d/rc0.d/K01grub-btrfsd etc/rc.d/rc3.d/S99grub-btrfsd etc/rc.d/rc6.d/K01grub-btrfsd +srv/web/ipfire/cgi-bin/ovpnmain.cgi srv/web/ipfire/cgi-bin/vulnerabilities.cgi usr/local/bin/ipsec-interfaces usr/sbin/unbound-dhcp-leases-bridge +usr/share/openvpn/ovpn.cnf var/ipfire/header.pl var/ipfire/ipblocklist/sources diff --git a/config/rootfiles/oldcore/186/filelists/openssl b/config/rootfiles/oldcore/186/filelists/openssl new file mode 120000 index 000000000..e011a9266 --- /dev/null +++ b/config/rootfiles/oldcore/186/filelists/openssl @@ -0,0 +1 @@ +../../../common/openssl \ No newline at end of file diff --git a/config/rootfiles/oldcore/186/update.sh b/config/rootfiles/oldcore/186/update.sh index 5d7add89f..02f799af8 100644 --- a/config/rootfiles/oldcore/186/update.sh +++ b/config/rootfiles/oldcore/186/update.sh @@ -104,8 +104,8 @@ done extract_files
# Remove files -#rm -rvf \ -# /XXX +rm -rvf \ + /var/ipfire/ovpn/openssl
# update linker config ldconfig diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index c92d0237d..f0172978f 100755 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -1836,7 +1836,7 @@ END '-days', '999999', '-newkey', 'rsa:4096', '-sha512', '-keyout', "${General::swroot}/ovpn/ca/cakey.pem", '-out', "${General::swroot}/ovpn/ca/cacert.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { + '-config', "/usr/share/openvpn/ovpn.cnf")) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; goto ROOTCERT_ERROR; } @@ -1868,7 +1868,7 @@ END '-keyout', "${General::swroot}/ovpn/certs/serverkey.pem", '-out', "${General::swroot}/ovpn/certs/serverreq.pem", '-extensions', 'server', - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) { + '-config', "/usr/share/openvpn/ovpn.cnf" )) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); unlink ("${General::swroot}/ovpn/certs/serverreq.pem"); @@ -1885,7 +1885,7 @@ END '-in', "${General::swroot}/ovpn/certs/serverreq.pem", '-out', "${General::swroot}/ovpn/certs/servercert.pem", '-extensions', 'server', - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf"); + '-config', "/usr/share/openvpn/ovpn.cnf"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/ca/cakey.pem"); @@ -1904,7 +1904,7 @@ END # System call is safe, because all arguments are passed as array. system('/usr/bin/openssl', 'ca', '-gencrl', '-out', "${General::swroot}/ovpn/crls/cacrl.pem", - '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" ); + '-config', "/usr/share/openvpn/ovpn.cnf" ); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/certs/serverkey.pem"); @@ -2426,8 +2426,8 @@ else
if ($confighash{$cgiparams{'KEY'}}) { # Revoke certificate if certificate was deleted and rewrite the CRL - &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf");
### # m.a.d net2net @@ -2480,7 +2480,7 @@ else &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]");
delete $confighash{$cgiparams{'KEY'}}; - &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf"); &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", %confighash);
} else { @@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') { '-batch', '-notext', '-in', $filename, '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); + '-config', "/usr/share/openvpn/ovpn.cnf"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ($filename); @@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') { '-newkey', 'rsa:4096', '-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) { + '-config', "/usr/share/openvpn/ovpn.cnf")) { $errormessage = "$Lang::tr{'cant start openssl'}: $!"; unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem"); @@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') { '-batch', '-notext', '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", '-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", - '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf"); + '-config', "/usr/share/openvpn/ovpn.cnf"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem"); diff --git a/lfs/openssl b/lfs/openssl index 695035742..d6f565df2 100644 --- a/lfs/openssl +++ b/lfs/openssl @@ -24,7 +24,7 @@
include Config
-VER = 3.2.1 +VER = 3.2.2
THISAPP = openssl-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -72,7 +72,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 960222e0305166160e5ab000e29650b92063bf726551ee9ad46060166d99738d1e3a5b86fd28b14c8f4fb3a72f5aa70850defb87c02990acff3dbcbdac40b347 +$(DL_FILE)_BLAKE2 = f42d44f31dc9ccf26ffe1fdd4a0119506a211808f92e860a34118109eae2ee7bcb5b0f43cbdf9eb811cd185cb53e092e62d652f7c0c0ce55b13289f7489073c9
install : $(TARGET)
diff --git a/lfs/openvpn b/lfs/openvpn index b71b4ccc9..b686cc930 100644 --- a/lfs/openvpn +++ b/lfs/openvpn @@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) chown root:root /etc/fcron.daily/openvpn-crl-updater chmod 750 /etc/fcron.daily/openvpn-crl-updater
+ # Move the OpenSSL configuration file out of /var/ipfire + mkdir -pv /usr/share/openvpn + mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \ + /usr/share/openvpn/ + rmdir -v /var/ipfire/ovpn/openssl + # Install authenticator install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \ /usr/sbin/openvpn-authenticator
hooks/post-receive -- IPFire 2.x development tree