Compiled OpenSSL 3.0.3 from github for both 64 and 32 bit Windows. Ran
the wop-test.sh script and passed tests:
* Easy-RSA Unit Tests:
* Windows, no OpenSSL-v3
* System SSL enabled
easyrsa-unit-tests.sh version: 2.3.0
* setup unit-test - ok
* shellcheck abandoned
* >>> BEGIN unit tests:
* >>>>>>: sh C:/Users/ecrist/Desktop/3.1.0-64/easy-rsa/easyrsa-unit-tests.sh -v
easyrsa-unit-tests.sh version: 2.3.0
easyrsa-unit-tests.sh source: localhost
easyrsa source: C:/Users/ecrist/Desktop/3.1.0-64/easy-rsa/easyrsa3/easyrsa
* EASYRSA_OPENSSL:
openssl (env)
OpenSSL 3.0.3 3 May 2022 (Library: OpenSSL 3.0.3 3 May 2022)
EasyRSA Version Information
Version: ~VER~
Generated: ~DATE~
SSL Lib: OpenSSL 3.0.3 3 May 2022 (Library: OpenSSL 3.0.3 3 May 2022)
Git Commit: ~GITHEAD~
Source Repo: https://github.com/OpenVPN/easy-rsa
Setup .. ok
>>>>> >>>>> Begin easyrsa rsa tests
... Lots of tests here.
<<<<< <<<<< End easyrsa ed tests
easyrsa-unit-tests.sh version: 2.3.0
easyrsa-unit-tests.sh source: localhost
easyrsa source: C:/Users/ecrist/Desktop/3.1.0-64/easy-rsa/easyrsa3/easyrsa
* EASYRSA_OPENSSL:
openssl (env)
OpenSSL 3.0.3 3 May 2022 (Library: OpenSSL 3.0.3 3 May 2022)
Unit-test: cleanup
Remove temp dir: C:/Users/ecrist/Desktop/3.1.0-64/easy-rsa/easyrsa3/unit tests
Completed Thu May 5 08:28:30 Central Daylight Time 2022 (Total errors: 0)
* OK
* <<< END unit tests:
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
Not all the places I want to build the distribution symlink python to
the python3 binary (namely macOS) so just call python3 directly.
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
When 'vars' is in the same directory as 'easyrsa' and they are both
in the current working directory, easyrsa would falsely warn about
"conflicting" 'vars' files.
Filter out this false error by checking if '$prog_dir' is './'
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Changes to how 'vars' is located and sourced omitted the possibility
that the vars file has been declared via '--vars'.
Move the 'fi' to the correct location so that '--vars' is respected.
Closes: #552 (Over-ruled, due to another, unrelated change)
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This has been an on/off release tag, but we're going to push it out
because there are some that will remain on the v3.0.x branch for a
long time, and OpenSSL 3.x isn't available in all distros/embedded
systems yet (or for a while).
- Updated OpenSSL for Windows to 1.1.1o
- Updated ChangeLog for v3.0.9, pulling in most comments for v3.1.0
- Updated header in easyrsa to point to Github contributors page
Signed-off-by: Eric F Crist <ecrist@secure-computing.net>
date.exe does not support output format '+%s' as input.
Instead, use date.exe "string" not seconds since epoch.
Also, force easyrsa_openssl() 'makesafeconf' to move the the temp-file
to the target file. Otherwise, Windows users are expected to confirm
over-write, every time.
Also, minor variable name changes, for clarity.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The initial idea was to mask the actual certificate creation date.
The reason was to further anonymise user certificates. (YMMV)
There is now a second part to this date "fixing":
* This allows for all certificates to expire on the same day.
Using command option '--fix-offset=nnn', all certificates will be created
* with a 'notBefore' date of January 1st of the current year.
* with a 'notAfter' date of the day-of-year number from '--fix-offset',
in the final year, as per EASYRSA_CERT_EXPIRE (Default 825 days).
The default 825 days results in 2 years plus the offset given.
This can also be set in the 'vars' file, for convenience.
The default day-of-year offered is 183; either July 2 or 3 (leap year).
Follow-up to: #550 (Replaces 'nodatetime' with '--fix-offset')
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
This modification adds "nodatetime" argument to build-client-full
and build-server-full which issues the certificate with notBefore
and notAfter date set to 1 Jan, with difference in the year only.
It could be useful for a VPN service to prevent client and server
certificate generation date and time disclosure.
For '--copy-ext' the "copy_extensions = copy" must be inserted into
the SSL config file, section [defaul_ca]. As with all other insertions,
use the same 'awk' script with a new label '%COPY_EXTS%'.
Closes: #548
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Add '--san' option alias name and reformat help to include '--san'.
Refactor code for readability.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
EasyRSA set_var() is not known by shellcheck, so "fake declare"
variables that otherwise incorrectly trigger SC2154.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
LibreSSL chokes on 'rand' without a config file and dies on the
standard config file.
A common fix would be to redirect error out to '/dev/null' but this
would obviously mask all error messages, which is not satisfactory.
Instead, always make a safe config file before the temporary session
directory and any temp-files are required.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
In 'org' mode, fields such as EASYRSA_REQ_ORG can be abused.
If the field contains single quote ('), ampersand (&), back-tick (`),
dollar sign ($) or hash (#) then the result is undefined.
Due to EasyRSA running on Linux and Windows and supporting multiple
SSL Libraries, it is not feasible to support these characters.
Add a check to determine if any unsupported characters are found in
the vars file and issue a warning if they are found.
Add a sub-shell test to source vars. If the test fails then exit
gracefully, with a specific error message.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Ensure that declaration of file-names which are from serial-numbers
are declared after the serial-number has been extracted.
Move confirmation prompts to the last point before action.
Correct and improve #comments, "prompts" and "error messages".
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
When easyrsa "renews" a certificate, the current certificate is moved
to a sub-directory for renewed certificates and renamed to the serial
number of the certificate.
This makes it difficult to subsequently revoke the old certificate.
The new behaviour is for easyrsa to move the certificate without
renaming the file. This means the certificate can be revoked by name.
Once a renewed certificate is revoked, it is moved to the 'revoked'
sub-directory, along with all other revoked certificates.
The same mechanism also manages keys, requests, PKCS and inline files.
Behaviour summary:
* revoke moves certificates to 'revoked' - Unchanged
Rename the certificate to its serial number - Unchanged
* renew moves certificates to 'renewed' - Unchanged
renew does not rename the certificate to its serial number - Changed
Important:
Only one certificate of a specific name (eg. john) can be renewed
at the same time.
To renew another certificate called 'john' the first MUST be revoked.
* revoke-renewed:
takes the certificate from 'renewed' - Changed
moves the certifiate to 'revoked' - Changed
renames the certificate to its serial number - Unchanged
* All revoked certificates are moved to the 'revoked' sub-directory.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Plus a minor correction to white-space.
Closes: #411
Original commit:
commit e93af47b0112b13e221a1bf28d36afaf5f5719df
Author: itaru2622 <itaru2622@gmaiil.com>
Date: Wed Oct 7 20:47:26 2020 +0900
supporting nopass option for export-p12
usage:
easyrsa export-p12 EntityName nopass
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
