nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'set-OPENSSL_CONF' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-set-OPENSSL_CONF

Browse Source 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme 2022-12-03 13:08:19 +00:00
commit 6535998aaa
No known key found for this signature in database
GPG Key ID: 2D767DB92FB6C246
1 changed files with 55 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
easyrsa3/easyrsa
View File

@ -782,7 +782,7 @@ easyrsa_openssl() {
# Do not allow 'rand' here because it interferes with EASYRSA_DEBUG # Do not allow 'rand' here because it interferes with EASYRSA_DEBUG
case "$openssl_command" in case "$openssl_command" in
rand) die "easyrsa_openssl: Illegal SSL command: rand" ;; rand) die "easyrsa_openssl: Illegal SSL command: rand" ;;
makesafeconf) has_config=1; require_safe_ssl_conf=1 ;; makesafeconf) require_safe_ssl_conf=1 ;;
ca|req|srp|ts) has_config=1 ;; ca|req|srp|ts) has_config=1 ;;
*) unset -v has_config *) unset -v has_config
esac esac
@ -796,7 +796,6 @@ easyrsa_openssl() {
has_config=1 has_config=1
fi fi
if [ "$has_config" ]; then
# Make LibreSSL safe config file from OpenSSL config file # Make LibreSSL safe config file from OpenSSL config file
# Auto-escape hazardous characters: # Auto-escape hazardous characters:
@ -808,7 +807,10 @@ easyrsa_openssl() {
easyrsa_safe_ssl_conf="$(easyrsa_mktemp)" || \ easyrsa_safe_ssl_conf="$(easyrsa_mktemp)" || \
die "easyrsa_openssl - easyrsa_mktemp failed" die "easyrsa_openssl - easyrsa_mktemp failed"
# require_safe_ssl_conf is ALWAYS set by verify_ssl_lib() # set $OPENSSL_CONF - Does not effect 'openssl-easyrsa.cnf'
export OPENSSL_CONF="$easyrsa_safe_ssl_conf"
# Currently, $require_safe_ssl_conf is ALWAYS set by verify_ssl_lib()
if [ "$require_safe_ssl_conf" ]; then if [ "$require_safe_ssl_conf" ]; then
# Make a safe SSL config file # Make a safe SSL config file
@ -834,16 +836,18 @@ easyrsa_openssl() {
die "easyrsa_openssl - sed failed" die "easyrsa_openssl - sed failed"
else else
# Do NOT Make a safe SSL config file # Do NOT Make a SAFE SSL config, only copy the standard config
cp -f "$EASYRSA_SSL_CONF" "$easyrsa_safe_ssl_conf" || \ cp -f "$EASYRSA_SSL_CONF" "$easyrsa_safe_ssl_conf" || \
die "easyrsa_openssl - copy failed" die "easyrsa_openssl - copy failed"
fi fi
# Execute command
if [ "$openssl_command" = "makesafeconf" ]; then if [ "$openssl_command" = "makesafeconf" ]; then
# move temp file to safessl-easyrsa.cnf # move temp file to safessl-easyrsa.cnf
mv -f "$easyrsa_safe_ssl_conf" "$EASYRSA_SAFE_CONF" || \ mv -f "$easyrsa_safe_ssl_conf" "$EASYRSA_SAFE_CONF" || \
die "easyrsa_openssl - makesafeconf failed" die "easyrsa_openssl - makesafeconf failed"
else
elif [ "$has_config" ]; then
# debug log on # debug log on
if [ "$EASYRSA_DEBUG" ]; then print "<< DEBUG-ON >>"; set -x; fi if [ "$EASYRSA_DEBUG" ]; then print "<< DEBUG-ON >>"; set -x; fi
@ -853,7 +857,7 @@ easyrsa_openssl() {
# debug log off # debug log off
if [ "$EASYRSA_DEBUG" ]; then set +x; print ">> DEBUG-OFF <<"; fi if [ "$EASYRSA_DEBUG" ]; then set +x; print ">> DEBUG-OFF <<"; fi
fi
else else
# debug log on # debug log on
if [ "$EASYRSA_DEBUG" ]; then print "<< DEBUG-ON >>"; set -x; fi if [ "$EASYRSA_DEBUG" ]; then print "<< DEBUG-ON >>"; set -x; fi
@ -4263,7 +4267,6 @@ Sourcing the vars file and building certificates will probably fail ..'
set_var EASYRSA_SSL_CONF "$EASYRSA_PKI/openssl-easyrsa.cnf" set_var EASYRSA_SSL_CONF "$EASYRSA_PKI/openssl-easyrsa.cnf"
set_var EASYRSA_SAFE_CONF "$EASYRSA_PKI/safessl-easyrsa.cnf" set_var EASYRSA_SAFE_CONF "$EASYRSA_PKI/safessl-easyrsa.cnf"
set_var OPENSSL_CONF "$EASYRSA_SAFE_CONF"
set_var EASYRSA_KDC_REALM "CHANGEME.EXAMPLE.COM" set_var EASYRSA_KDC_REALM "CHANGEME.EXAMPLE.COM"