[git.ipfire.org] IPFire 2.x development tree branch, core186, updated. 73363b89bc6cb1749b83fb42e4f55d960f974f26

7 Jun 2024

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, core186 has been updated
       via  73363b89bc6cb1749b83fb42e4f55d960f974f26 (commit)
       via  04acd0b7ce1ffaa36641344d49199256956f3973 (commit)
       via  4697a1f7f73a5f7ba869c8ad2ce267bd6d65fcc5 (commit)
       via  51c8b155d1b888f45b234b86cb67b58512853294 (commit)
      from  f3d6e2a0fbb21b78e3a5247049bc7b21595f2153 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 73363b89bc6cb1749b83fb42e4f55d960f974f26
Author: Michael Tremer michael.tremer@ipfire.org
Date:   Fri Jun 7 16:06:40 2024 +0000
core186: Ship the changed location of the OpenSSL configuration for OpenVPN
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 04acd0b7ce1ffaa36641344d49199256956f3973
Author: Michael Tremer michael.tremer@ipfire.org
Date:   Fri Jun 7 16:05:04 2024 +0000
core186: Ship OpenSSL
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 4697a1f7f73a5f7ba869c8ad2ce267bd6d65fcc5
Author: Michael Tremer michael.tremer@ipfire.org
Date:   Fri Jun 7 16:01:07 2024 +0000
OpenVPN: Move the OpenSSL configuration file out of /var/ipfire
We should not have any configuration files that we share in this place,
    therefore this patch is moving it into /usr/share/openvpn where we
    should be able to update it without any issues.
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 51c8b155d1b888f45b234b86cb67b58512853294
Author: Michael Tremer michael.tremer@ipfire.org
Date:   Fri Jun 7 15:01:27 2024 +0000
openssl: Update to 3.2.2
https://www.openssl.org/news/openssl-3.2-notes.html
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes:
 config/ovpn/openvpn-crl-updater                      |  3 +--
 config/rootfiles/common/openssl                      |  5 +++++
 config/rootfiles/common/openvpn                      |  2 +-
 config/rootfiles/core/186/filelists/files            |  1 +
 .../{oldcore/100 => core/186}/filelists/openssl      |  0
 config/rootfiles/core/186/update.sh                  |  4 ++--
 html/cgi-bin/ovpnmain.cgi                            | 20 ++++++++++----------
 lfs/openssl                                          |  4 ++--
 lfs/openvpn                                          |  6 ++++++
 9 files changed, 28 insertions(+), 17 deletions(-)
 copy config/rootfiles/{oldcore/100 => core/186}/filelists/openssl (100%)
Difference in files:

diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater
index 5fbe21080..5008d6725 100644
--- a/config/ovpn/openvpn-crl-updater
+++ b/config/ovpn/openvpn-crl-updater
@@ -43,7 +43,6 @@ OVPN="/var/ipfire/ovpn"
 CRL="${OVPN}/crls/cacrl.pem"
 CAKEY="${OVPN}/ca/cakey.pem"
 CACERT="${OVPN}/ca/cacert.pem"
-OPENSSLCONF="${OVPN}/openssl/ovpn.cnf"
# Check if CRL is presant or if OpenVPN is active
 if [ ! -e "${CAKEY}" ]; then
@@ -76,7 +75,7 @@ UPDATE="14"
 ## Mainpart
 # Check if OpenVPNs CRL needs to be renewed
 if [ ${NEXTUPDATE} -le ${UPDATE} ]; then
-    if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then
+    if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then
    	logger -t openvpn "CRL has been updated"
     else
    	logger -t openvpn "error: Could not update CRL"
diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl
index a3664a521..d5f4f3814 100644
--- a/config/rootfiles/common/openssl
+++ b/config/rootfiles/common/openssl
@@ -797,6 +797,7 @@ usr/lib/ossl-modules/legacy.so
 #usr/share/doc/openssl/html/man3/SSL_set_incoming_stream_policy.html
 #usr/share/doc/openssl/html/man3/SSL_set_retry_verify.html
 #usr/share/doc/openssl/html/man3/SSL_set_session.html
+#usr/share/doc/openssl/html/man3/SSL_set_session_secret_cb.html
 #usr/share/doc/openssl/html/man3/SSL_set_shutdown.html
 #usr/share/doc/openssl/html/man3/SSL_set_verify_result.html
 #usr/share/doc/openssl/html/man3/SSL_shutdown.html
@@ -966,6 +967,7 @@ usr/lib/ossl-modules/legacy.so
 #usr/share/doc/openssl/html/man7/OSSL_PROVIDER-default.html
 #usr/share/doc/openssl/html/man7/OSSL_PROVIDER-legacy.html
 #usr/share/doc/openssl/html/man7/OSSL_PROVIDER-null.html
+#usr/share/doc/openssl/html/man7/OSSL_STORE-winstore.html
 #usr/share/doc/openssl/html/man7/RAND.html
 #usr/share/doc/openssl/html/man7/RSA-PSS.html
 #usr/share/doc/openssl/html/man7/X25519.html
@@ -5515,6 +5517,7 @@ usr/lib/ossl-modules/legacy.so
 #usr/share/man/man3/SSL_set_security_level.3ossl
 #usr/share/man/man3/SSL_set_session.3ossl
 #usr/share/man/man3/SSL_set_session_id_context.3ossl
+#usr/share/man/man3/SSL_set_session_secret_cb.3ossl
 #usr/share/man/man3/SSL_set_shutdown.3ossl
 #usr/share/man/man3/SSL_set_split_send_fragment.3ossl
 #usr/share/man/man3/SSL_set_srp_server_param.3ossl
@@ -6703,6 +6706,7 @@ usr/lib/ossl-modules/legacy.so
 #usr/share/man/man3/sk_TYPE_value.3ossl
 #usr/share/man/man3/sk_TYPE_zero.3ossl
 #usr/share/man/man3/ssl_ct_validation_cb.3ossl
+#usr/share/man/man3/tls_session_secret_cb_fn.3ossl
 #usr/share/man/man5/config.5ossl
 #usr/share/man/man5/fips_config.5ossl
 #usr/share/man/man5/x509v3_config.5ossl
@@ -6828,6 +6832,7 @@ usr/lib/ossl-modules/legacy.so
 #usr/share/man/man7/OSSL_PROVIDER-default.7ossl
 #usr/share/man/man7/OSSL_PROVIDER-legacy.7ossl
 #usr/share/man/man7/OSSL_PROVIDER-null.7ossl
+#usr/share/man/man7/OSSL_STORE-winstore.7ossl
 #usr/share/man/man7/RAND.7ossl
 #usr/share/man/man7/RSA-PSS.7ossl
 #usr/share/man/man7/RSA.7ossl
diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
index d9848a579..c0d49bfad 100644
--- a/config/rootfiles/common/openvpn
+++ b/config/rootfiles/common/openvpn
@@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator
 #usr/share/doc/openvpn/openvpn.8.html
 #usr/share/man/man5/openvpn-examples.5
 #usr/share/man/man8/openvpn.8
+usr/share/openvpn/openssl.cnf
 var/ipfire/ovpn/ca
 var/ipfire/ovpn/caconfig
 var/ipfire/ovpn/ccd
@@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial
 var/ipfire/ovpn/crls
 var/ipfire/ovpn/n2nconf
 #var/ipfire/ovpn/openssl
-var/ipfire/ovpn/openssl/ovpn.cnf
 var/ipfire/ovpn/openvpn-authenticator
 var/ipfire/ovpn/ovpn-leases.db
 var/ipfire/ovpn/ovpnconfig
diff --git a/config/rootfiles/core/186/filelists/files b/config/rootfiles/core/186/filelists/files
index 3f0d11ae2..89b92cd1f 100644
--- a/config/rootfiles/core/186/filelists/files
+++ b/config/rootfiles/core/186/filelists/files
@@ -15,5 +15,6 @@ etc/rc.d/rc6.d/K01grub-btrfsd
 srv/web/ipfire/cgi-bin/vulnerabilities.cgi
 usr/local/bin/ipsec-interfaces
 usr/sbin/unbound-dhcp-leases-bridge
+usr/share/openvpn/openssl.cnf
 var/ipfire/header.pl
 var/ipfire/ipblocklist/sources
diff --git a/config/rootfiles/core/186/filelists/openssl b/config/rootfiles/core/186/filelists/openssl
new file mode 120000
index 000000000..e011a9266
--- /dev/null
+++ b/config/rootfiles/core/186/filelists/openssl
@@ -0,0 +1 @@
+../../../common/openssl
\ No newline at end of file
diff --git a/config/rootfiles/core/186/update.sh b/config/rootfiles/core/186/update.sh
index 5d7add89f..02f799af8 100644
--- a/config/rootfiles/core/186/update.sh
+++ b/config/rootfiles/core/186/update.sh
@@ -104,8 +104,8 @@ done
 extract_files
# Remove files
-#rm -rvf \
-#	/XXX
+rm -rvf \
+	/var/ipfire/ovpn/openssl
# update linker config
 ldconfig
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index c92d0237d..f0172978f 100755
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -1836,7 +1836,7 @@ END
    		'-days', '999999', '-newkey', 'rsa:4096', '-sha512',
    		'-keyout', "${General::swroot}/ovpn/ca/cakey.pem",
    		'-out', "${General::swroot}/ovpn/ca/cacert.pem",
-			'-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
+			'-config', "/usr/share/openvpn/ovpn.cnf")) {
    	$errormessage = "$Lang::tr{'cant start openssl'}: $!";
    	goto ROOTCERT_ERROR;
        }
@@ -1868,7 +1868,7 @@ END
    		'-keyout', "${General::swroot}/ovpn/certs/serverkey.pem",
    		'-out', "${General::swroot}/ovpn/certs/serverreq.pem",
    		'-extensions', 'server',
-			'-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) {
+			'-config', "/usr/share/openvpn/ovpn.cnf" )) {
    	$errormessage = "$Lang::tr{'cant start openssl'}: $!";
    	unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
    	unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
@@ -1885,7 +1885,7 @@ END
    	'-in',  "${General::swroot}/ovpn/certs/serverreq.pem",
    	'-out', "${General::swroot}/ovpn/certs/servercert.pem",
    	'-extensions', 'server',
-		'-config', "${General::swroot}/ovpn/openssl/ovpn.cnf");
+		'-config', "/usr/share/openvpn/ovpn.cnf");
    if ($?) {
        $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
        unlink ("${General::swroot}/ovpn/ca/cakey.pem");
@@ -1904,7 +1904,7 @@ END
    # System call is safe, because all arguments are passed as array.
    system('/usr/bin/openssl', 'ca', '-gencrl',
    	'-out', "${General::swroot}/ovpn/crls/cacrl.pem",
-		'-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" );
+		'-config', "/usr/share/openvpn/ovpn.cnf" );
    if ($?) {
        $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
        unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
@@ -2426,8 +2426,8 @@ else
if ($confighash{$cgiparams{'KEY'}}) {
    	# Revoke certificate if certificate was deleted and rewrite the CRL
-		&General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
-		&General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
+		&General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/share/openvpn/ovpn.cnf");
+		&General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf");
###
 # m.a.d net2net
@@ -2480,7 +2480,7 @@ else
    	&General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]");
delete $confighash{$cgiparams{'KEY'}};
-		&General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
+		&General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf");
    	&General::writehasharray("${General::swroot}/ovpn/ovpnconfig", %confighash);
} else {
@@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
    	'-batch', '-notext',
    	'-in', $filename,
    	'-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
-		'-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
+		'-config', "/usr/share/openvpn/ovpn.cnf");
        if ($?) {
    	$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
    	unlink ($filename);
@@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
    		'-newkey', 'rsa:4096',
    		'-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
    		'-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
-			'-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
+			'-config', "/usr/share/openvpn/ovpn.cnf")) {
    	    $errormessage = "$Lang::tr{'cant start openssl'}: $!";
    	    unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
    	    unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
@@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
    	'-batch', '-notext',
    	'-in',  "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
    	'-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
-		'-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
+		'-config', "/usr/share/openvpn/ovpn.cnf");
        if ($?) {
    	$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
    	unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
diff --git a/lfs/openssl b/lfs/openssl
index 695035742..d6f565df2 100644
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -24,7 +24,7 @@
include Config
-VER        = 3.2.1
+VER        = 3.2.2
THISAPP    = openssl-$(VER)
 DL_FILE    = $(THISAPP).tar.gz
@@ -72,7 +72,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 960222e0305166160e5ab000e29650b92063bf726551ee9ad46060166d99738d1e3a5b86fd28b14c8f4fb3a72f5aa70850defb87c02990acff3dbcbdac40b347
+$(DL_FILE)_BLAKE2 = f42d44f31dc9ccf26ffe1fdd4a0119506a211808f92e860a34118109eae2ee7bcb5b0f43cbdf9eb811cd185cb53e092e62d652f7c0c0ce55b13289f7489073c9
install : $(TARGET)
diff --git a/lfs/openvpn b/lfs/openvpn
index b71b4ccc9..0704aa438 100644
--- a/lfs/openvpn
+++ b/lfs/openvpn
@@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
    chown root:root /etc/fcron.daily/openvpn-crl-updater
    chmod 750 /etc/fcron.daily/openvpn-crl-updater
+	# Move the OpenSSL configuration file out of /var/ipfire
+	mkdir -pv /usr/share/openvpn
+	mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \
+		/usr/share/openvpn/
+	rmdir -v /usr/share/openvpn
+
    # Install authenticator
    install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \
    	/usr/sbin/openvpn-authenticator
hooks/post-receive
--
IPFire 2.x development tree

    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

[git.ipfire.org] IPFire 2.x development tree branch, core186, updated. 73363b89bc6cb1749b83fb42e4f55d960f974f26