From: Michael Tremer <git@ipfire.org>
To: ipfire-scm@lists.ipfire.org
Subject: [git.ipfire.org] IPFire 2.x development tree branch, master, updated. 1ed2ed6310a80510304af993b68c35060731ceff
Date: Mon, 10 Jun 2024 15:37:44 +0000 [thread overview]
Message-ID: <4VybXm2kJSz2xVF@people01.haj.ipfire.org> (raw)
[-- Attachment #1: Type: text/plain, Size: 14887 bytes --]
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "IPFire 2.x development tree".
The branch, master has been updated
via 1ed2ed6310a80510304af993b68c35060731ceff (commit)
via d545c338f0d14ecec48623e15efc1c28b44cbce7 (commit)
via 73363b89bc6cb1749b83fb42e4f55d960f974f26 (commit)
via 04acd0b7ce1ffaa36641344d49199256956f3973 (commit)
via 4697a1f7f73a5f7ba869c8ad2ce267bd6d65fcc5 (commit)
via 51c8b155d1b888f45b234b86cb67b58512853294 (commit)
from f3d6e2a0fbb21b78e3a5247049bc7b21595f2153 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 1ed2ed6310a80510304af993b68c35060731ceff
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Mon Jun 10 15:37:16 2024 +0000
core186: Ship ovpnmain.cgi
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit d545c338f0d14ecec48623e15efc1c28b44cbce7
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Sat Jun 8 10:22:39 2024 +0000
openvpn: Fix broken paths
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 73363b89bc6cb1749b83fb42e4f55d960f974f26
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Jun 7 16:06:40 2024 +0000
core186: Ship the changed location of the OpenSSL configuration for OpenVPN
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 04acd0b7ce1ffaa36641344d49199256956f3973
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Jun 7 16:05:04 2024 +0000
core186: Ship OpenSSL
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 4697a1f7f73a5f7ba869c8ad2ce267bd6d65fcc5
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Jun 7 16:01:07 2024 +0000
OpenVPN: Move the OpenSSL configuration file out of /var/ipfire
We should not have any configuration files that we share in this place,
therefore this patch is moving it into /usr/share/openvpn where we
should be able to update it without any issues.
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
commit 51c8b155d1b888f45b234b86cb67b58512853294
Author: Michael Tremer <michael.tremer(a)ipfire.org>
Date: Fri Jun 7 15:01:27 2024 +0000
openssl: Update to 3.2.2
https://www.openssl.org/news/openssl-3.2-notes.html
Signed-off-by: Michael Tremer <michael.tremer(a)ipfire.org>
-----------------------------------------------------------------------
Summary of changes:
config/ovpn/openvpn-crl-updater | 3 +--
config/rootfiles/common/openssl | 5 +++++
config/rootfiles/common/openvpn | 2 +-
config/rootfiles/core/186/filelists/files | 2 ++
.../{oldcore/100 => core/186}/filelists/openssl | 0
config/rootfiles/core/186/update.sh | 4 ++--
html/cgi-bin/ovpnmain.cgi | 20 ++++++++++----------
lfs/openssl | 4 ++--
lfs/openvpn | 6 ++++++
9 files changed, 29 insertions(+), 17 deletions(-)
copy config/rootfiles/{oldcore/100 => core/186}/filelists/openssl (100%)
Difference in files:
diff --git a/config/ovpn/openvpn-crl-updater b/config/ovpn/openvpn-crl-updater
index 5fbe21080..5008d6725 100644
--- a/config/ovpn/openvpn-crl-updater
+++ b/config/ovpn/openvpn-crl-updater
@@ -43,7 +43,6 @@ OVPN="/var/ipfire/ovpn"
CRL="${OVPN}/crls/cacrl.pem"
CAKEY="${OVPN}/ca/cakey.pem"
CACERT="${OVPN}/ca/cacert.pem"
-OPENSSLCONF="${OVPN}/openssl/ovpn.cnf"
# Check if CRL is presant or if OpenVPN is active
if [ ! -e "${CAKEY}" ]; then
@@ -76,7 +75,7 @@ UPDATE="14"
## Mainpart
# Check if OpenVPNs CRL needs to be renewed
if [ ${NEXTUPDATE} -le ${UPDATE} ]; then
- if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "${OPENSSLCONF}"; then
+ if openssl ca -gencrl -keyfile "${CAKEY}" -cert "${CACERT}" -out "${CRL}" -config "/usr/share/openvpn/ovpn.cnf"; then
logger -t openvpn "CRL has been updated"
else
logger -t openvpn "error: Could not update CRL"
diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl
index a3664a521..d5f4f3814 100644
--- a/config/rootfiles/common/openssl
+++ b/config/rootfiles/common/openssl
@@ -797,6 +797,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/doc/openssl/html/man3/SSL_set_incoming_stream_policy.html
#usr/share/doc/openssl/html/man3/SSL_set_retry_verify.html
#usr/share/doc/openssl/html/man3/SSL_set_session.html
+#usr/share/doc/openssl/html/man3/SSL_set_session_secret_cb.html
#usr/share/doc/openssl/html/man3/SSL_set_shutdown.html
#usr/share/doc/openssl/html/man3/SSL_set_verify_result.html
#usr/share/doc/openssl/html/man3/SSL_shutdown.html
@@ -966,6 +967,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/doc/openssl/html/man7/OSSL_PROVIDER-default.html
#usr/share/doc/openssl/html/man7/OSSL_PROVIDER-legacy.html
#usr/share/doc/openssl/html/man7/OSSL_PROVIDER-null.html
+#usr/share/doc/openssl/html/man7/OSSL_STORE-winstore.html
#usr/share/doc/openssl/html/man7/RAND.html
#usr/share/doc/openssl/html/man7/RSA-PSS.html
#usr/share/doc/openssl/html/man7/X25519.html
@@ -5515,6 +5517,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/SSL_set_security_level.3ossl
#usr/share/man/man3/SSL_set_session.3ossl
#usr/share/man/man3/SSL_set_session_id_context.3ossl
+#usr/share/man/man3/SSL_set_session_secret_cb.3ossl
#usr/share/man/man3/SSL_set_shutdown.3ossl
#usr/share/man/man3/SSL_set_split_send_fragment.3ossl
#usr/share/man/man3/SSL_set_srp_server_param.3ossl
@@ -6703,6 +6706,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man3/sk_TYPE_value.3ossl
#usr/share/man/man3/sk_TYPE_zero.3ossl
#usr/share/man/man3/ssl_ct_validation_cb.3ossl
+#usr/share/man/man3/tls_session_secret_cb_fn.3ossl
#usr/share/man/man5/config.5ossl
#usr/share/man/man5/fips_config.5ossl
#usr/share/man/man5/x509v3_config.5ossl
@@ -6828,6 +6832,7 @@ usr/lib/ossl-modules/legacy.so
#usr/share/man/man7/OSSL_PROVIDER-default.7ossl
#usr/share/man/man7/OSSL_PROVIDER-legacy.7ossl
#usr/share/man/man7/OSSL_PROVIDER-null.7ossl
+#usr/share/man/man7/OSSL_STORE-winstore.7ossl
#usr/share/man/man7/RAND.7ossl
#usr/share/man/man7/RSA-PSS.7ossl
#usr/share/man/man7/RSA.7ossl
diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
index d9848a579..8a36d4bb4 100644
--- a/config/rootfiles/common/openvpn
+++ b/config/rootfiles/common/openvpn
@@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator
#usr/share/doc/openvpn/openvpn.8.html
#usr/share/man/man5/openvpn-examples.5
#usr/share/man/man8/openvpn.8
+usr/share/openvpn/ovpn.cnf
var/ipfire/ovpn/ca
var/ipfire/ovpn/caconfig
var/ipfire/ovpn/ccd
@@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial
var/ipfire/ovpn/crls
var/ipfire/ovpn/n2nconf
#var/ipfire/ovpn/openssl
-var/ipfire/ovpn/openssl/ovpn.cnf
var/ipfire/ovpn/openvpn-authenticator
var/ipfire/ovpn/ovpn-leases.db
var/ipfire/ovpn/ovpnconfig
diff --git a/config/rootfiles/core/186/filelists/files b/config/rootfiles/core/186/filelists/files
index 3f0d11ae2..0c4756337 100644
--- a/config/rootfiles/core/186/filelists/files
+++ b/config/rootfiles/core/186/filelists/files
@@ -12,8 +12,10 @@ etc/rc.d/init.d/grub-btrfsd
etc/rc.d/rc0.d/K01grub-btrfsd
etc/rc.d/rc3.d/S99grub-btrfsd
etc/rc.d/rc6.d/K01grub-btrfsd
+srv/web/ipfire/cgi-bin/ovpnmain.cgi
srv/web/ipfire/cgi-bin/vulnerabilities.cgi
usr/local/bin/ipsec-interfaces
usr/sbin/unbound-dhcp-leases-bridge
+usr/share/openvpn/ovpn.cnf
var/ipfire/header.pl
var/ipfire/ipblocklist/sources
diff --git a/config/rootfiles/core/186/filelists/openssl b/config/rootfiles/core/186/filelists/openssl
new file mode 120000
index 000000000..e011a9266
--- /dev/null
+++ b/config/rootfiles/core/186/filelists/openssl
@@ -0,0 +1 @@
+../../../common/openssl
\ No newline at end of file
diff --git a/config/rootfiles/core/186/update.sh b/config/rootfiles/core/186/update.sh
index 5d7add89f..02f799af8 100644
--- a/config/rootfiles/core/186/update.sh
+++ b/config/rootfiles/core/186/update.sh
@@ -104,8 +104,8 @@ done
extract_files
# Remove files
-#rm -rvf \
-# /XXX
+rm -rvf \
+ /var/ipfire/ovpn/openssl
# update linker config
ldconfig
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index c92d0237d..f0172978f 100755
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -1836,7 +1836,7 @@ END
'-days', '999999', '-newkey', 'rsa:4096', '-sha512',
'-keyout', "${General::swroot}/ovpn/ca/cakey.pem",
'-out', "${General::swroot}/ovpn/ca/cacert.pem",
- '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
+ '-config', "/usr/share/openvpn/ovpn.cnf")) {
$errormessage = "$Lang::tr{'cant start openssl'}: $!";
goto ROOTCERT_ERROR;
}
@@ -1868,7 +1868,7 @@ END
'-keyout', "${General::swroot}/ovpn/certs/serverkey.pem",
'-out', "${General::swroot}/ovpn/certs/serverreq.pem",
'-extensions', 'server',
- '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) {
+ '-config', "/usr/share/openvpn/ovpn.cnf" )) {
$errormessage = "$Lang::tr{'cant start openssl'}: $!";
unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
@@ -1885,7 +1885,7 @@ END
'-in', "${General::swroot}/ovpn/certs/serverreq.pem",
'-out', "${General::swroot}/ovpn/certs/servercert.pem",
'-extensions', 'server',
- '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf");
+ '-config', "/usr/share/openvpn/ovpn.cnf");
if ($?) {
$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
unlink ("${General::swroot}/ovpn/ca/cakey.pem");
@@ -1904,7 +1904,7 @@ END
# System call is safe, because all arguments are passed as array.
system('/usr/bin/openssl', 'ca', '-gencrl',
'-out', "${General::swroot}/ovpn/crls/cacrl.pem",
- '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" );
+ '-config', "/usr/share/openvpn/ovpn.cnf" );
if ($?) {
$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
@@ -2426,8 +2426,8 @@ else
if ($confighash{$cgiparams{'KEY'}}) {
# Revoke certificate if certificate was deleted and rewrite the CRL
- &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
- &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
+ &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "/usr/share/openvpn/ovpn.cnf");
+ &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf");
###
# m.a.d net2net
@@ -2480,7 +2480,7 @@ else
&General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]");
delete $confighash{$cgiparams{'KEY'}};
- &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
+ &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "/usr/share/openvpn/ovpn.cnf");
&General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
} else {
@@ -4053,7 +4053,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
'-batch', '-notext',
'-in', $filename,
'-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
- '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
+ '-config', "/usr/share/openvpn/ovpn.cnf");
if ($?) {
$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
unlink ($filename);
@@ -4266,7 +4266,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
'-newkey', 'rsa:4096',
'-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
'-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
- '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
+ '-config', "/usr/share/openvpn/ovpn.cnf")) {
$errormessage = "$Lang::tr{'cant start openssl'}: $!";
unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
@@ -4280,7 +4280,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
'-batch', '-notext',
'-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
'-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
- '-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
+ '-config', "/usr/share/openvpn/ovpn.cnf");
if ($?) {
$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
diff --git a/lfs/openssl b/lfs/openssl
index 695035742..d6f565df2 100644
--- a/lfs/openssl
+++ b/lfs/openssl
@@ -24,7 +24,7 @@
include Config
-VER = 3.2.1
+VER = 3.2.2
THISAPP = openssl-$(VER)
DL_FILE = $(THISAPP).tar.gz
@@ -72,7 +72,7 @@ objects = $(DL_FILE)
$(DL_FILE) = $(DL_FROM)/$(DL_FILE)
-$(DL_FILE)_BLAKE2 = 960222e0305166160e5ab000e29650b92063bf726551ee9ad46060166d99738d1e3a5b86fd28b14c8f4fb3a72f5aa70850defb87c02990acff3dbcbdac40b347
+$(DL_FILE)_BLAKE2 = f42d44f31dc9ccf26ffe1fdd4a0119506a211808f92e860a34118109eae2ee7bcb5b0f43cbdf9eb811cd185cb53e092e62d652f7c0c0ce55b13289f7489073c9
install : $(TARGET)
diff --git a/lfs/openvpn b/lfs/openvpn
index b71b4ccc9..b686cc930 100644
--- a/lfs/openvpn
+++ b/lfs/openvpn
@@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
chown root:root /etc/fcron.daily/openvpn-crl-updater
chmod 750 /etc/fcron.daily/openvpn-crl-updater
+ # Move the OpenSSL configuration file out of /var/ipfire
+ mkdir -pv /usr/share/openvpn
+ mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \
+ /usr/share/openvpn/
+ rmdir -v /var/ipfire/ovpn/openssl
+
# Install authenticator
install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \
/usr/sbin/openvpn-authenticator
hooks/post-receive
--
IPFire 2.x development tree
reply other threads:[~2024-06-10 15:37 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4VybXm2kJSz2xVF@people01.haj.ipfire.org \
--to=git@ipfire.org \
--cc=ipfire-scm@lists.ipfire.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox