This is an automated email from the git hooks/post-receive script. It was generated because a ref change was pushed to the repository containing the project "IPFire 2.x development tree".
The branch, next has been updated via 825871b9782085fadc5d78524714c9ca501767fb (commit) via 16d664b2bd4cb546cc2f1d5b7f36b2983f93f5d3 (commit) from 0c051ce27903e9d18c8ee247d92535c633ef93a2 (commit)
Those revisions listed above that are new to this repository have not appeared on any other notification email; so we list those revisions in full, below.
- Log ----------------------------------------------------------------- commit 825871b9782085fadc5d78524714c9ca501767fb Author: Michael Tremer michael.tremer@ipfire.org Date: Mon Mar 4 20:53:12 2024 +0000
core185: Ship ovpn.cnf
Signed-off-by: Michael Tremer michael.tremer@ipfire.org
commit 16d664b2bd4cb546cc2f1d5b7f36b2983f93f5d3 Author: Adolf Belka adolf.belka@ipfire.org Date: Mon Feb 19 15:16:32 2024 +0100
ovpn.cnf: Removal of SKID & AKID from server section - Fixes Bug#13595
- The update to openssl-3.2.x introduced a bug fix which now gives an error if the subjectKeyIdentifier (SKID) or authorityKeyIdentifier (AKID) is in the x509 extensions for a CSR. - See the following discssion in the openssl github issues https://github.com/openssl/openssl/issues/22966#issuecomment-1858396738 - The SKID & AKID should never have been specified in the CSR but due to a bug they were never flagged with an error, just ignored. Since the bug fix for that bug was put into OpenSSL-3.2.0 the prescence of the SKID & AKID in the CSR causes an error to be flagged. - The consequence of this is that in CU183 trying to create a new x509 root/host certificate gives an error when the CSR is generated so only the root certificate is created and not the host certificate. - Tested out the removal of the SKID & AKID lines from the [ server ] section of the ovpn.cnf file and the root/host certificate set was created without any issue. - Then tested the creation of a RW client connection and that worked with no problems. Also creating a fresh N2N connection worked without any problems. - Also tested restoring from an earlier backup. The RW and N2N connections worked without issues with the AKID and SKID missing from the [ server ] section. - It would be good if this could be merged into CU184 for final testing.
Fixes: Bug#13595 Tested-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Adolf Belka adolf.belka@ipfire.org Signed-off-by: Michael Tremer michael.tremer@ipfire.org
-----------------------------------------------------------------------
Summary of changes: config/ovpn/openssl/ovpn.cnf | 3 --- config/rootfiles/core/185/filelists/files | 1 + 2 files changed, 1 insertion(+), 3 deletions(-)
Difference in files: diff --git a/config/ovpn/openssl/ovpn.cnf b/config/ovpn/openssl/ovpn.cnf index 96c3dcb09d..bfa7ad744c 100644 --- a/config/ovpn/openssl/ovpn.cnf +++ b/config/ovpn/openssl/ovpn.cnf @@ -79,13 +79,10 @@ extendedKeyUsage = clientAuth keyUsage = digitalSignature
[ server ] - # JY ADDED -- Make a cert with nsCertType set to "server" basicConstraints = CA:FALSE nsCertType = server nsComment = "OpenSSL Generated Server Certificate" -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid,issuer:always extendedKeyUsage = serverAuth keyUsage = digitalSignature, keyEncipherment
diff --git a/config/rootfiles/core/185/filelists/files b/config/rootfiles/core/185/filelists/files index d87f365293..3a197e9310 100644 --- a/config/rootfiles/core/185/filelists/files +++ b/config/rootfiles/core/185/filelists/files @@ -49,3 +49,4 @@ srv/web/ipfire/cgi-bin/dns.cgi srv/web/ipfire/cgi-bin/index.cgi srv/web/ipfire/cgi-bin/ovpnmain.cgi var/ipfire/backup/bin/backup.pl +var/ipfire/ovpn/openssl/ovpn.cnf
hooks/post-receive -- IPFire 2.x development tree