nik/easyrsa
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'force-safe-ssl' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-force-safe-ssl

Browse Source 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This commit is contained in:
Richard T Bonhomme 2023-04-13 22:58:11 +01:00
commit dd30507b5b
No known key found for this signature in database
GPG Key ID: 2D767DB92FB6C246
1 changed files with 16 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
easyrsa3/easyrsa
View File

@ -475,8 +475,11 @@ General options:
(Default vars file is in the EasyRSA PKI directory) (Default vars file is in the EasyRSA PKI directory)
--pki-dir=DIR : Declare the PKI directory --pki-dir=DIR : Declare the PKI directory
(Default PKI directory is sub-directory 'pki') (Default PKI directory is sub-directory 'pki')
--ssl-conf=FILE : Define a specific OpenSSL config file for Easy-RSA to use --ssl-conf=FILE : Define a specific OpenSSL config file for Easy-RSA to use
(Default config file is in the EasyRSA PKI directory) (Default config file is in the EasyRSA PKI directory)
--force-safe-ssl: Always generate a safe SSL config file
(Default: Generate Safe SSL config once per instance)
--no-safe-ssl : OpenSSL Only: Do not use a safe SSL config file --no-safe-ssl : OpenSSL Only: Do not use a safe SSL config file
--tmp-dir=DIR : Declare the temporary directory --tmp-dir=DIR : Declare the temporary directory
@ -814,6 +817,7 @@ Temporary session not preserved."
# Make a copy safe SSL config file # Make a copy safe SSL config file
make_safe_ssl() { make_safe_ssl() {
verify_pki_init verify_pki_init
EASYRSA_FORCE_SAFE_SSL=1
easyrsa_openssl makesafeconf easyrsa_openssl makesafeconf
notice "\ notice "\
Generated safe SSL config file: Generated safe SSL config file:
@ -936,7 +940,10 @@ easyrsa_openssl() {
# '$' - Workaround 'easyrsa' based limitation # '$' - Workaround 'easyrsa' based limitation
# This is required for all SSL libs, otherwise, # This is required for all SSL libs, otherwise,
# there are unacceptable differences in behavior # there are unacceptable differences in behavior
if [ "$working_safe_ssl_conf" ]; then # EASYRSA_FORCE_SAFE_SSL will always over-ride
if [ -z "$EASYRSA_FORCE_SAFE_SSL" ] && \
[ "$working_safe_ssl_conf" ]
then
: # ok - This has been done before : # ok - This has been done before
verbose "\ verbose "\
easyrsa_openssl: escape_hazard SKIPPED" easyrsa_openssl: escape_hazard SKIPPED"
@ -952,7 +959,10 @@ easyrsa_openssl: escape_hazard SKIPPED"
# Only create a new safe config, # Only create a new safe config,
# if it has not been done before. # if it has not been done before.
if [ "$working_safe_ssl_conf" ]; then # EASYRSA_FORCE_SAFE_SSL will always over-ride
if [ -z "$EASYRSA_FORCE_SAFE_SSL" ] && \
[ "$working_safe_ssl_conf" ]
then
# ok - This has been done before # ok - This has been done before
easyrsa_safe_ssl_conf="$working_safe_ssl_conf" easyrsa_safe_ssl_conf="$working_safe_ssl_conf"
verbose "\ verbose "\
@ -5965,6 +5975,10 @@ while :; do
# This will probably be need # This will probably be need
#save_EASYRSA_SILENT_SSL=1 #save_EASYRSA_SILENT_SSL=1
;; ;;
--force-safe-ssl)
empty_ok=1
export EASYRSA_FORCE_SAFE_SSL=1
;;
--no-safe-ssl) --no-safe-ssl)
empty_ok=1 empty_ok=1
export EASYRSA_NO_SAFE_SSL=1 export EASYRSA_NO_SAFE_SSL=1