[git.ipfire.org] IPFire 2.x development tree branch, next, updated. 825871b9782085fadc5d78524714c9ca501767fb

public inbox for ipfire-scm@lists.ipfire.org
 help / color / mirror / Atom feed

* [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 825871b9782085fadc5d78524714c9ca501767fb
@ 2024-03-04 20:54 Michael Tremer
  0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2024-03-04 20:54 UTC (permalink / raw)
  To: ipfire-scm

[-- Attachment #1: Type: text/plain, Size: 4218 bytes --]

This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".

The branch, next has been updated
       via  825871b9782085fadc5d78524714c9ca501767fb (commit)
       via  16d664b2bd4cb546cc2f1d5b7f36b2983f93f5d3 (commit)
      from  0c051ce27903e9d18c8ee247d92535c633ef93a2 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
commit 825871b9782085fadc5d78524714c9ca501767fb
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date:   Mon Mar 4 20:53:12 2024 +0000

    core185: Ship ovpn.cnf
    
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>

commit 16d664b2bd4cb546cc2f1d5b7f36b2983f93f5d3
Author: Adolf Belka <adolf.belka(a)ipfire.org>
Date:   Mon Feb 19 15:16:32 2024 +0100

    ovpn.cnf: Removal of SKID & AKID from server section - Fixes Bug#13595
    
    - The update to openssl-3.2.x introduced a bug fix which now gives an error if the
       subjectKeyIdentifier (SKID) or authorityKeyIdentifier (AKID) is in the x509 extensions
       for a CSR.
    - See the following discssion in the openssl github issues
       https://github.com/openssl/openssl/issues/22966#issuecomment-1858396738
    - The SKID & AKID should never have been specified in the CSR but due to a bug they were
       never flagged with an error, just ignored. Since the bug fix for that bug was put into
       OpenSSL-3.2.0 the prescence of the SKID & AKID in the CSR causes an error to be flagged.
    - The consequence of this is that in CU183 trying to create a new x509 root/host
       certificate gives an error when the CSR is generated so only the root certificate is
       created and not the host certificate.
    - Tested out the removal of the SKID & AKID lines from the [ server ] section of the
       ovpn.cnf file and the root/host certificate set was created without any issue.
    - Then tested the creation of a RW client connection and that worked with no problems. Also
       creating a fresh N2N connection worked without any problems.
    - Also tested restoring from an earlier backup. The RW and N2N connections worked without
       issues with the AKID and SKID missing from the [ server ] section.
    - It would be good if this could be merged into CU184 for final testing.
    
    Fixes: Bug#13595
    Tested-by: Adolf Belka <adolf.belka(a)ipfire.org>
    Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
    Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>

-----------------------------------------------------------------------

Summary of changes:
 config/ovpn/openssl/ovpn.cnf              | 3 ---
 config/rootfiles/core/185/filelists/files | 1 +
 2 files changed, 1 insertion(+), 3 deletions(-)

Difference in files:
diff --git a/config/ovpn/openssl/ovpn.cnf b/config/ovpn/openssl/ovpn.cnf
index 96c3dcb09d..bfa7ad744c 100644
--- a/config/ovpn/openssl/ovpn.cnf
+++ b/config/ovpn/openssl/ovpn.cnf
@@ -79,13 +79,10 @@ extendedKeyUsage               = clientAuth
 keyUsage                       = digitalSignature
 
 [ server ]
-
 # JY ADDED -- Make a cert with nsCertType set to "server"
 basicConstraints		= CA:FALSE
 nsCertType			= server
 nsComment			= "OpenSSL Generated Server Certificate"
-subjectKeyIdentifier		= hash
-authorityKeyIdentifier		= keyid,issuer:always 
 extendedKeyUsage               = serverAuth
 keyUsage                       = digitalSignature, keyEncipherment
 
diff --git a/config/rootfiles/core/185/filelists/files b/config/rootfiles/core/185/filelists/files
index d87f365293..3a197e9310 100644
--- a/config/rootfiles/core/185/filelists/files
+++ b/config/rootfiles/core/185/filelists/files
@@ -49,3 +49,4 @@ srv/web/ipfire/cgi-bin/dns.cgi
 srv/web/ipfire/cgi-bin/index.cgi
 srv/web/ipfire/cgi-bin/ovpnmain.cgi
 var/ipfire/backup/bin/backup.pl
+var/ipfire/ovpn/openssl/ovpn.cnf


hooks/post-receive
--
IPFire 2.x development tree

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2024-03-04 20:54 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-03-04 20:54 [git.ipfire.org] IPFire 2.x development tree branch, next, updated. 825871b9782085fadc5d78524714c9ca501767fb Michael Tremer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox