* [git.ipfire.org] IPFire 2.x development tree branch, core186, updated. 73363b89bc6cb1749b83fb42e4f55d960f974f26
@ 2024-06-07 16:07 Michael Tremer
0 siblings, 0 replies; only message in thread
From: Michael Tremer @ 2024-06-07 16:07 UTC (permalink / raw)
To: ipfire-scm
[-- Attachment #1: Type: text/plain, Size: 14130 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, core186 has been updated
via 73363b89bc6cb1749b83fb42e4f55d960f974f26 (commit)
via 04acd0b7ce1ffaa36641344d49199256956f3973 (commit)
via 4697a1f7f73a5f7ba869c8ad2ce267bd6d65fcc5 (commit)
via 51c8b155d1b888f45b234b86cb67b58512853294 (commit)
from f3d6e2a0fbb21b78e3a5247049bc7b21595f2153 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 73363b89bc6cb1749b83fb42e4f55d960f974f26
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Jun 7 16:06:40 2024 +0000
core186: Ship the changed location of the OpenSSL configuration for OpenVPN
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 04acd0b7ce1ffaa36641344d49199256956f3973
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Jun 7 16:05:04 2024 +0000
core186: Ship OpenSSL
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 4697a1f7f73a5f7ba869c8ad2ce267bd6d65fcc5
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Jun 7 16:01:07 2024 +0000
OpenVPN: Move the OpenSSL configuration file out of /var/ipfire
We should not have any configuration files that we share in this place,
therefore this patch is moving it into /usr/share/openvpn where we
should be able to update it without any issues.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 51c8b155d1b888f45b234b86cb67b58512853294
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Jun 7 15:01:27 2024 +0000
openssl: Update to 3.2.2
https://www.openssl.org/news/openssl-3.2-notes.html
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/ovpn/openvpn-crl-updater | 3 +--
config/rootfiles/common/openssl | 5 +++++
config/rootfiles/common/openvpn | 2 +-
config/rootfiles/core/186/filelists/files | 1 +
.../{oldcore/100 => core/186}/filelists/openssl | 0
config/rootfiles/core/186/update.sh | 4 ++--
html/cgi-bin/ovpnmain.cgi | 20 ++++++++++----------
lfs/openssl | 4 ++--
lfs/openvpn | 6 ++++++
9 files changed, 28 insertions(+), 17 deletions(-)
copy config/rootfiles/{oldcore/100 => core/186}/filelists/openssl (100%)
Difference in files:
diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater
index 5fbe21080..5008d6725 100644
--- a/config/ovpn/openvpn-crl-updater
+++ b/config/ovpn/openvpn-crl-updater
@@ -43,7 +43,6 @@ OVPN="/var/ipfire/ovpn"
CRL="${OVPN}/crls/cacrl.pem"
CAKEY="${OVPN}/ca/cakey.pem"
CACERT="${OVPN}/ca/cacert.pem"
-OPENSSLCONF="${OVPN}/openssl/ovpn.cnf"
# Check if CRL is presant or if OpenVPN is active
if [ ! -e "${CAKEY}" ]; then
@@ -76,7 +75,7 @@ UPDATE="14"
## Mainpart
# Check if OpenVPNs CRL needs to be renewed
if [ ${NEXTUPDATE} -le ${UPDATE} ]; then
- if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then
+ if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then
logger -t openvpn "CRL has been updated"
else
logger -t openvpn "error: Could not update CRL"
diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl
index a3664a521..d5f4f3814 100644
--- a/config/rootfiles/common/openssl
+++ b/config/rootfiles/common/openssl
@@ -797,6 +797,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/doc/openssl/html/man3/SSL_set_incoming_stream_policy.html
#usr/share/doc/openssl/html/man3/SSL_set_retry_verify.html
#usr/share/doc/openssl/html/man3/SSL_set_session.html
+#usr/share/doc/openssl/html/man3/SSL_set_session_secret_cb.html
#usr/share/doc/openssl/html/man3/SSL_set_shutdown.html
#usr/share/doc/openssl/html/man3/SSL_set_verify_result.html
#usr/share/doc/openssl/html/man3/SSL_shutdown.html
@@ -966,6 +967,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/doc/openssl/html/man7/OSSL_PROVIDER-default.html
#usr/share/doc/openssl/html/man7/OSSL_PROVIDER-legacy.html
#usr/share/doc/openssl/html/man7/OSSL_PROVIDER-null.html
+#usr/share/doc/openssl/html/man7/OSSL_STORE-winstore.html
#usr/share/doc/openssl/html/man7/RAND.html
#usr/share/doc/openssl/html/man7/RSA-PSS.html
#usr/share/doc/openssl/html/man7/X25519.html
@@ -5515,6 +5517,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/SSL_set_security_level.3ossl
#usr/share/man/man3/SSL_set_session.3ossl
#usr/share/man/man3/SSL_set_session_id_context.3ossl
+#usr/share/man/man3/SSL_set_session_secret_cb.3ossl
#usr/share/man/man3/SSL_set_shutdown.3ossl
#usr/share/man/man3/SSL_set_split_send_fragment.3ossl
#usr/share/man/man3/SSL_set_srp_server_param.3ossl
@@ -6703,6 +6706,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/sk_TYPE_value.3ossl
#usr/share/man/man3/sk_TYPE_zero.3ossl
#usr/share/man/man3/ssl_ct_validation_cb.3ossl
+#usr/share/man/man3/tls_session_secret_cb_fn.3ossl
#usr/share/man/man5/config.5ossl
#usr/share/man/man5/fips_config.5ossl
#usr/share/man/man5/x509v3_config.5ossl
@@ -6828,6 +6832,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man7/OSSL_PROVIDER-default.7ossl
#usr/share/man/man7/OSSL_PROVIDER-legacy.7ossl
#usr/share/man/man7/OSSL_PROVIDER-null.7ossl
+#usr/share/man/man7/OSSL_STORE-winstore.7ossl
#usr/share/man/man7/RAND.7ossl
#usr/share/man/man7/RSA-PSS.7ossl
#usr/share/man/man7/RSA.7ossl
diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
index d9848a579..c0d49bfad 100644
--- a/config/rootfiles/common/openvpn
+++ b/config/rootfiles/common/openvpn
@@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator
#usr/share/doc/openvpn/openvpn.8.html
#usr/share/man/man5/openvpn-examples.5
#usr/share/man/man8/openvpn.8
+usr/share/openvpn/openssl.cnf
var/ipfire/ovpn/ca
var/ipfire/ovpn/caconfig
var/ipfire/ovpn/ccd
@@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial
var/ipfire/ovpn/crls
var/ipfire/ovpn/n2nconf
#var/ipfire/ovpn/openssl
-var/ipfire/ovpn/openssl/ovpn.cnf
var/ipfire/ovpn/openvpn-authenticator
var/ipfire/ovpn/ovpn-leases.db
var/ipfire/ovpn/ovpnconfig
diff --git a/config/rootfiles/core/186/filelists/files b/config/rootfiles/core/186/filelists/files
index 3f0d11ae2..89b92cd1f 100644
--- a/config/rootfiles/core/186/filelists/files
+++ b/config/rootfiles/core/186/filelists/files
@@ -15,5 +15,6 @@ etc/rc.d/rc6.d/K01grub-btrfsd
srv/web/ipfire/cgi-bin/vulnerabilities.cgi
usr/local/bin/ipsec-interfaces
usr/sbin/unbound-dhcp-leases-bridge
+usr/share/openvpn/openssl.cnf
var/ipfire/header.pl
var/ipfire/ipblocklist/sources
diff --git a/config/rootfiles/core/186/filelists/openssl b/config/rootfiles/core/186/filelists/openssl
new file mode 120000
index 000000000..e011a9266
--- /dev/null
+++ b/config/rootfiles/core/186/filelists/openssl
@@ -0,0 +1 @@
+../../../common/openssl
\ No newline at end of file
diff --git a/config/rootfiles/core/186/update.sh b/config/rootfiles/core/186/update.sh
index 5d7add89f..02f799af8 100644
--- a/config/rootfiles/core/186/update.sh
+++ b/config/rootfiles/core/186/update.sh
@@ -104,8 +104,8 @@ done
extract_files
# Remove files
-#rm -rvf \
-# /XXX
+rm -rvf \
+ /var/ipfire/ovpn/openssl
# update linker config
ldconfig
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index c92d0237d..f0172978f 100755
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -1836,7 +1836,7 @@ END
'-days', '999999', '-newkey', 'rsa:4096', '-sha512',
'-keyout', "${General::swroot}/ovpn/ca/cakey.pem",
'-out', "${General::swroot}/ovpn/ca/cacert.pem",
- '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
+ '-config', "/usr/share/openvpn/ovpn.cnf")) {
$errormessage = "$Lang::tr{'cant start openssl'}: $!";
goto ROOTCERT_ERROR;
}
@@ -1868,7 +1868,7 @@ END
'-keyout', "${General::swroot}/ovpn/certs/serverkey.pem",
'-out', "${General::swroot}/ovpn/certs/serverreq.pem",
'-extensions', 'server',
- '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) {
+ '-config', "/usr/share/openvpn/ovpn.cnf" )) {
$errormessage = "$Lang::tr{'cant start openssl'}: $!";
unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
@@ -1885,7 +1885,7 @@ END
'-in', "${General::swroot}/ovpn/certs/serverreq.pem",
'-out', "${General::swroot}/ovpn/certs/servercert.pem",
'-extensions', 'server',
- '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf");
+ '-config', "/usr/share/openvpn/ovpn.cnf");
if ($?) {
$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
unlink ("${General::swroot}/ovpn/ca/cakey.pem");
@@ -1904,7 +1904,7 @@ END
# System call is safe, because all arguments are passed as array.
system('/usr/bin/openssl', 'ca', '-gencrl',
'-out', "${General::swroot}/ovpn/crls/cacrl.pem",
- '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" );
+ '-config', "/usr/share/openvpn/ovpn.cnf" );
if ($?) {
$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
@@ -2426,8 +2426,8 @@ else
if ($confighash{$cgiparams{'KEY'}}) {
# Revoke certificate if certificate was deleted and rewrite the CRL
- &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
- &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
+ &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/share/openvpn/ovpn.cnf");
+ &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf");
###
# m.a.d net2net
@@ -2480,7 +2480,7 @@ else
&General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]");
delete $confighash{$cgiparams{'KEY'}};
- &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
+ &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf");
&General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
} else {
@@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
'-batch', '-notext',
'-in', $filename,
'-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
- '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
+ '-config', "/usr/share/openvpn/ovpn.cnf");
if ($?) {
$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
unlink ($filename);
@@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
'-newkey', 'rsa:4096',
'-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
'-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
- '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
+ '-config', "/usr/share/openvpn/ovpn.cnf")) {
$errormessage = "$Lang::tr{'cant start openssl'}: $!";
unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
@@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
'-batch', '-notext',
'-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
'-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
- '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
+ '-config', "/usr/share/openvpn/ovpn.cnf");
if ($?) {
$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
diff --git a/lfs/openssl b/lfs/openssl
index 695035742..d6f565df2 100644
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -24,7 +24,7 @@
include Config
-VER = 3.2.1
+VER = 3.2.2
THISAPP = openssl-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -72,7 +72,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 960222e0305166160e5ab000e29650b92063bf726551ee9ad46060166d99738d1e3a5b86fd28b14c8f4fb3a72f5aa70850defb87c02990acff3dbcbdac40b347
+$(DL_FILE)_BLAKE2 = f42d44f31dc9ccf26ffe1fdd4a0119506a211808f92e860a34118109eae2ee7bcb5b0f43cbdf9eb811cd185cb53e092e62d652f7c0c0ce55b13289f7489073c9
install : $(TARGET)
diff --git a/lfs/openvpn b/lfs/openvpn
index b71b4ccc9..0704aa438 100644
--- a/lfs/openvpn
+++ b/lfs/openvpn
@@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
chown root:root /etc/fcron.daily/openvpn-crl-updater
chmod 750 /etc/fcron.daily/openvpn-crl-updater
+ # Move the OpenSSL configuration file out of /var/ipfire
+ mkdir -pv /usr/share/openvpn
+ mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \
+ /usr/share/openvpn/
+ rmdir -v /usr/share/openvpn
+
# Install authenticator
install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \
/usr/sbin/openvpn-authenticator
hooks/post-receive
--
IPFire 2.x development tree
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2024-06-07 16:07 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-06-07 16:07 [git.ipfire.org] IPFire 2.x development tree branch, core186, updated. 73363b89bc6cb1749b83fb42e4f55d960f974f26 Michael Tremer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox