From: Michael Tremer <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 825871b9782085fadc5d78524714c9ca501767fb
Date: Mon, 04 Mar 2024 20:54:00 +0000 [thread overview]
Message-ID: <4TpWBw3LzHz2xP9@people01.haj.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 4218 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, next has been updated
via 825871b9782085fadc5d78524714c9ca501767fb (commit)
via 16d664b2bd4cb546cc2f1d5b7f36b2983f93f5d3 (commit)
from 0c051ce27903e9d18c8ee247d92535c633ef93a2 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 825871b9782085fadc5d78524714c9ca501767fb
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Mar 4 20:53:12 2024 +0000
core185: Ship ovpn.cnf
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 16d664b2bd4cb546cc2f1d5b7f36b2983f93f5d3
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date: Mon Feb 19 15:16:32 2024 +0100
ovpn.cnf: Removal of SKID & AKID from server section - Fixes Bug#13595
- The update to openssl-3.2.x introduced a bug fix which now gives an error if the
subjectKeyIdentifier (SKID) or authorityKeyIdentifier (AKID) is in the x509 extensions
for a CSR.
- See the following discssion in the openssl github issues
https://github.com/openssl/openssl/issues/22966#issuecomment-1858396738
- The SKID & AKID should never have been specified in the CSR but due to a bug they were
never flagged with an error, just ignored. Since the bug fix for that bug was put into
OpenSSL-3.2.0 the prescence of the SKID & AKID in the CSR causes an error to be flagged.
- The consequence of this is that in CU183 trying to create a new x509 root/host
certificate gives an error when the CSR is generated so only the root certificate is
created and not the host certificate.
- Tested out the removal of the SKID & AKID lines from the [ server ] section of the
ovpn.cnf file and the root/host certificate set was created without any issue.
- Then tested the creation of a RW client connection and that worked with no problems. Also
creating a fresh N2N connection worked without any problems.
- Also tested restoring from an earlier backup. The RW and N2N connections worked without
issues with the AKID and SKID missing from the [ server ] section.
- It would be good if this could be merged into CU184 for final testing.
Fixes: Bug#13595
Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/ovpn/openssl/ovpn.cnf | 3 ---
config/rootfiles/core/185/filelists/files | 1 +
2 files changed, 1 insertion(+), 3 deletions(-)
Difference in files:
diff --git a/config/ovpn/openssl/ovpn.cnf b/config/ovpn/openssl/ovpn.cnf
index 96c3dcb09d..bfa7ad744c 100644
--- a/config/ovpn/openssl/ovpn.cnf
+++ b/config/ovpn/openssl/ovpn.cnf
@@ -79,13 +79,10 @@ extendedKeyUsage = clientAuth
keyUsage = digitalSignature
[ server ]
-
# JY ADDED -- Make a cert with nsCertType set to "server"
basicConstraints = CA:FALSE
nsCertType = server
nsComment = "OpenSSL Generated Server Certificate"
-subjectKeyIdentifier = hash
-authorityKeyIdentifier = keyid,issuer:always
extendedKeyUsage = serverAuth
keyUsage = digitalSignature, keyEncipherment
diff --git a/config/rootfiles/core/185/filelists/files b/config/rootfiles/core/185/filelists/files
index d87f365293..3a197e9310 100644
--- a/config/rootfiles/core/185/filelists/files
+++ b/config/rootfiles/core/185/filelists/files
@@ -49,3 +49,4 @@ srv/web/ipfire/cgi-bin/dns.cgi
srv/web/ipfire/cgi-bin/index.cgi
srv/web/ipfire/cgi-bin/ovpnmain.cgi
var/ipfire/backup/bin/backup.pl
+var/ipfire/ovpn/openssl/ovpn.cnf
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2024-03-04 20:54 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4TpWBw3LzHz2xP9@people01.haj.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox