From 0933b898b3cf695e52e71a5d84386ed4183a5427 Mon Sep 17 00:00:00 2001 From: Eric F Crist Date: Wed, 20 Dec 2017 21:40:38 -0600 Subject: [PATCH 1/5] Update README, address vx.x.x branches (new v3.0.4) Signed-off-by: Eric F Crist --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 97e6c4f..3f25b10 100644 --- a/README.md +++ b/README.md @@ -38,7 +38,8 @@ the most recent release. The prior 2.x and 1.x versions are available as release branches for tracking and possible back-porting of relevant fixes. Branch layout is: - master <- 3.x, at present + master <- 3.x, at present + v3.x.x pre-release branches, used for staging branches release/2.x release/1.x From b3ed48042eaacec24c548a436293b4344e43d81f Mon Sep 17 00:00:00 2001 From: Eric F Crist Date: Sun, 24 Dec 2017 10:00:20 -0600 Subject: [PATCH 2/5] Correct subjectAltName errors in server sign Signed-off-by: Eric F Crist --- ChangeLog | 7 ++++--- easyrsa3/easyrsa | 6 ++++-- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/ChangeLog b/ChangeLog index c13f11b..3eb7897 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,12 +1,13 @@ Easy-RSA 3 ChangeLog -3.0.x (TBD) +3.0.4 (TBD) * Remove use of egrep (#154) * Integrate with Travis-CI (#165) * Remove "local" from variable assignment (#165) * Other changes related to Travis-CI fixes - * Assign values (even empty ones) to variables defined previously with - "local" + * Assign values to variables defined previously w/local + * Finally(?) fix the subjectAltName issues I presented earlier (really + fixes #168 3.0.3 (2017-08-22) * Include mktemp windows binary diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index e99f6db..c81ac9a 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -652,10 +652,12 @@ $(display_dn req "$req_in") # If type is server and no subjectAltName was requested, # add one to the extensions file - if [ "$crt_type" = 'server' ]; then + if [ "$crt_type" = 'server' ]; + then + sname=$(basename $req_in | cut -d. -f1) echo "$EASYRSA_EXTRA_EXTS" | grep -q subjectAltName || - print "default_server_san $req_in" + print "subjectAltName = DNS:$sname" fi # Add any advanced extensions supplied by env-var: From b83b8ff7a6217269b022f81e7654d1e2935dbc6f Mon Sep 17 00:00:00 2001 From: Bob Vincent Date: Mon, 1 Jan 2018 13:41:18 -0500 Subject: [PATCH 3/5] Fix generation of serverAltName. --- easyrsa3/easyrsa | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index c81ac9a..7b95d74 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -657,7 +657,7 @@ $(display_dn req "$req_in") sname=$(basename $req_in | cut -d. -f1) echo "$EASYRSA_EXTRA_EXTS" | grep -q subjectAltName || - print "subjectAltName = DNS:$sname" + default_server_san $req_in fi # Add any advanced extensions supplied by env-var: From 9500a6a14bb07880cf4c53505b49ca08214fbc88 Mon Sep 17 00:00:00 2001 From: Bob Vincent Date: Tue, 2 Jan 2018 16:50:14 -0500 Subject: [PATCH 4/5] Fix the --subject-alt-name option. --- easyrsa3/easyrsa | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 7b95d74..5548b37 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -279,7 +279,7 @@ Type the word '$value' to continue, or any other input to abort." # remove temp files clean_temp() { - for f in "$EASYRSA_TEMP_FILE" "$EASYRSA_TEMP_FILE_2" "$EASYRSA_TEMP_FILE_3" + for f in "$EASYRSA_TEMP_CONF" "$EASYRSA_TEMP_EXT" "$EASYRSA_TEMP_FILE_2" "$EASYRSA_TEMP_FILE_3" do [ -f "$f" ] && rm "$f" 2>/dev/null done } # => clean_temp() @@ -546,10 +546,10 @@ $EASYRSA_EXTRA_EXTS" }' print "$extra_exts" | \ awk "$awkscript" "$EASYRSA_SSL_CONF" \ - > "$EASYRSA_TEMP_FILE" \ + > "$EASYRSA_TEMP_CONF" \ || die "Copying SSL config to temp file failed" # Use this new SSL config for the rest of this function - EASYRSA_SSL_CONF="$EASYRSA_TEMP_FILE" + EASYRSA_SSL_CONF="$EASYRSA_TEMP_CONF" fi key_out_tmp="$(mktemp "$key_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$key_out_tmp" @@ -664,14 +664,14 @@ $(display_dn req "$req_in") [ -n "$EASYRSA_EXTRA_EXTS" ] && print "$EASYRSA_EXTRA_EXTS" : # needed to keep die from inherting the above test - } > "$EASYRSA_TEMP_FILE" || die "\ + } > "$EASYRSA_TEMP_EXT" || die "\ Failed to create temp extension file (bad permissions?) at: -$EASYRSA_TEMP_FILE" +$EASYRSA_TEMP_EXT" # sign request crt_out_tmp="$(mktemp "$crt_out.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_2="$crt_out_tmp" "$EASYRSA_OPENSSL" ca -utf8 -in "$req_in" -out "$crt_out_tmp" -config "$EASYRSA_SSL_CONF" \ - -extfile "$EASYRSA_TEMP_FILE" -days $EASYRSA_CERT_EXPIRE -batch $opts \ + -extfile "$EASYRSA_TEMP_EXT" -days $EASYRSA_CERT_EXPIRE -batch $opts \ || die "signing failed (openssl output above may have more detail)" mv "$crt_out_tmp" "$crt_out"; EASYRSA_TEMP_FILE_2= notice "\ @@ -1079,7 +1079,8 @@ Note: using Easy-RSA configuration from: $vars" set_var EASYRSA_CRL_DAYS 180 set_var EASYRSA_NS_SUPPORT no set_var EASYRSA_NS_COMMENT "Easy-RSA Generated Certificate" - set_var EASYRSA_TEMP_FILE "$EASYRSA_PKI/extensions.temp" + set_var EASYRSA_TEMP_CONF "$EASYRSA_PKI/openssl-easyrsa.temp" + set_var EASYRSA_TEMP_EXT "$EASYRSA_PKI/extensions.temp" set_var EASYRSA_TEMP_FILE_2 "" set_var EASYRSA_TEMP_FILE_3 "" set_var EASYRSA_REQ_CN ChangeMe From 482b3e7ade5ad6fbb0362e9972bc1a0ecd3beef9 Mon Sep 17 00:00:00 2001 From: Bob Vincent Date: Tue, 2 Jan 2018 16:52:16 -0500 Subject: [PATCH 5/5] Allow "--copy-ext" without a value. (https://github.com/OpenVPN/easy-rsa/pull/153) --- easyrsa3/easyrsa | 1 + 1 file changed, 1 insertion(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 5548b37..da0db44 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1188,6 +1188,7 @@ while :; do --vars) export EASYRSA_VARS_FILE="$val" ;; --copy-ext) + empty_ok=1 export EASYRSA_CP_EXT=1 ;; --subject-alt-name) export EASYRSA_EXTRA_EXTS="\