LibreSSL Always probes the file assigned by environment variable OPENSSL_CONF.
Default can be found via command 'openssl version -d'
EasyRSA MUST provide a suitable "safe" SSL config file to LibreSSL.
Therefore, all SSL calls made by EasyRSA SHOULD go via easyrsa_openssl(),
which can be forced to ALWAYS build a "safe" SSL config file.
By always building a "safe" SSL config file, EasyRSA can always configure
the default value for OPENSSL_CONF.
This patch changes easyrsa_openssl(), to force generation of a safe SSL
config on EVERY use and set OPENSSL_CONF to the same.
Calls to easyrsa_openssl() ALWAYS generate a safe SSL config file, however,
that config file is only called via SSL option '-config' when the command
requires an SSL config file. (As by original design)
The environment variable OPENSSL_CONF always points to the EasyRSA "safe" SSL
config file, although the SSL command may not support the '-config' option.
The fundemental changes made here are, easyrsa_openssl():
- ALWAYS creates a "safe" SSL config file, although it may not be required.
- ALWAYS assigns SSL env-var OPENSSL_CONF to the above "safe" SSL config file.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The code being removed was used to always build a safe SSL config file
during 'init-pki' and before running most other commands. The reason
for this code was because LibreSSL throws an error for missing config
file when generating random numbers.
The first part of the change here is to redirect LibreSSL error-out to
'/dev/null', when generating random numbers, and only capture the random
number that is generated.
The second part is to remove all the code that built a safe SSL config
file prior to running all commands, so that a safe SSL config was always
present in the PKI. This is no longer required.
The third part is to improve and document command 'make-safe-ssl'.
The final result is that 'easyrsa_openssl()' is used as required, to
build a safe SSL config file on demand, as was the original design.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Squashed commit of the following:
commit 4f142baa04227963f291948dcbe2cb08e6ac6cd1
Merge: 0ee7a6d bcc71d6
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Mon Nov 21 20:23:22 2022 +0000
Merge branch 'doc-set-pass' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-doc-set-pass
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit bcc71d6c7e0d7bfe1d628cadc13689eb32fd4c8d
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Mon Nov 21 15:14:27 2022 +0000
Minor improvements to help for cmd:'set-pass' and opt:'--no-pass'
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Also, replace $die_error_exit with $confirm_aborted:
Make die() the default exit on error.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Squashed commit of the following:
commit 81937721412478c0f4b7d32b6a55d18099608d88
Merge: 43d7648 345e6cc
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sun Nov 20 13:37:05 2022 +0000
Merge branch 'improve-escape_hazard' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-improve-escape_hazard
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 345e6cc5540d411e32c3cc7ced3017742188d144
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sun Nov 20 13:07:37 2022 +0000
Minor refactor: escape_hazard()
Remove development code. Improve text.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Squashed commit of the following:
commit 3a5e7539db93b88a9db8b2fb9fc6520870f337ac
Merge: 1a46e32 3d9fa5e
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sun Nov 20 13:31:57 2022 +0000
Merge branch 'path-len-zero' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-path-len-zero
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 3d9fa5e955f0ed517c63bb8c35e6fde180af8b6a
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sun Nov 20 00:30:59 2022 +0000
Option --subca-len - Allow value to be 0 (zero)
For an intermediate CA certificate, Path length of zero (0) is valid.
Therefore, allow the character '0' as a valid numeric input for EasyRSA
option --subca-len=<N>
This method allows character zero (0) ONLY, as a numeric input
for options which accept zero as a value.
Add comment: # Reset per pass flags
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Squashed commit of the following:
commit aecf6e63780d9aec8b31b61aff0704f45c9598c9
Merge: 85db316 244c059
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sun Nov 20 13:28:12 2022 +0000
Merge branch 'improve-keep-tmp' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-improve-keep-tmp
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 244c05968e76d1fa7673202e1623cb252083bc66
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Thu Nov 17 02:13:40 2022 +0000
Expand check for --keep-tmp value to an existing file of any type
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
EasyRSA version 3.1.x only.
Summary of changes:
1. Introduce EasyRSA command 'set-pass'.
Use SSL command 'pkey' to set passwords on all private key files.
SSL command 'pkey' supports all EasyRSA croptoraphy settings.
This replaces "Leacy" commands 'set-rsa-pass' and 'set-ecpass'.
(These commands and their original code are retained for compatibility)
2. Remove the use of EasyRSA variable $no_password from legacy commands.
This bug was caused by commit: 9b4bd19545ebc7faf0e281483ddb53748c40eb07
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Replace all 'set-X-pass' commands with single 'set-pass' command.
The new EasyRSA 'set-pass' command uses OpenSSL command 'pkey' to manipulate
private keys. OpenSSL 'pkey' command supports all EasyRSA cryptography.
Retain compatibility with old commands.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Squashed commit of the following:
commit 7bdc3cdfbf4ac11dc5ff6377b1b32306fc50bc66
Merge: 320a324 7fa4ec9
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Thu Nov 10 19:41:31 2022 +0000
Merge branch 'fix-random-cert-serial' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-fix-random-cert-serial
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 7fa4ec9e3155f8b54648226397ef73f9086779d1
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Thu Nov 10 19:27:37 2022 +0000
Require unique random serial number for certificate or fail
This only effects Random certificate serial numbers: EASYRSA_RAND_SN
(EASYRSA_RAND_SN is the Easy-RSA default mode)
Previously, no matter if a _unique_ random serial number was generated,
sign_req() would always use the last random number generated, as serial
number for the new certificate.
This behaviour also allowed _complete failure_ of the SSL serial number
check to pass without error.
This change allows signing a request to succeed ONLY when a unique serial
number has been generated and validated.
A failure of the SSL CA unique serial number check will NOT be ignored.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Squashed commit of the following:
commit cb68324306febcddf7ef03fe56fc1eddf06e7db7
Merge: 82483f1 2199d0c
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Wed Nov 9 21:19:41 2022 +0000
Merge branch 'f-easyrsa_random' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-f-easyrsa_random
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 2199d0c323e506df436a335375be9115a12d6b7f
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Wed Nov 9 21:05:17 2022 +0000
Minor improvements to temp-session and temp-file
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit aa15b74722632ecab14c07ba9f2158d121e55d4f
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Wed Nov 9 20:35:43 2022 +0000
New function: easyrsa-random() - Generate random hexadecimal data
Replace the various random requirements with this new function.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Squashed commit of the following:
commit 5d48d39891b8ecd8c34f6faef1de06d327ed2b18
Merge: c905f09 2cfc18c
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Thu Nov 3 21:56:48 2022 +0000
Merge branch 'restrain-detect_host' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-restrain-detect_host
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 2cfc18c46bb23d1a2e88502ee76faf373f848155
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Thu Nov 3 21:15:09 2022 +0000
Improve detect_host() and show_host()
These changes make reductions to:
- The effects of detect_host()
- The output of show_host()
detect_host:
- Does not set an SSL library.
- Is not essential, so can be run before all other essential code.
show_host:
- Only show extended details for -v 'verbose' output.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Squashed commit of the following:
commit 3bff869d3058b2d8d2e21b572dfed6bac773ffe8
Merge: dbb8517 1652f20
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Thu Nov 3 19:55:34 2022 +0000
Merge branch 'new-global-opt-nopass' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-new-global-opt-nopass
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 1652f20e88ae72e731d8e6001d561d10aebdb780
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Wed Nov 2 17:46:54 2022 +0000
Introduce global option '--nopass|--no-pass' (#752)
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 7817324cbb31baf922724e46d5a50947b0b649d6
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Wed Nov 2 17:29:41 2022 +0000
Introduce global option '--nopass|--no-pass'
This change forces all commands where passwords are not desired,
to internally rely on the specific EasyRSA variable 'EASYRSA_NO_PASS'.
Current use of 'nopass' as a command option, is unchanged.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Squashed commit of the following:
commit 6ed16cd3860a1cf155c48809d11b55101ff66224
Merge: 4472516 94f6402
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Tue Nov 1 22:51:33 2022 +0000
Merge branch 'redir-stderr-version' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-redir-stderr-version
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 94f6402c64b9d11da34c93d06b62a00b2ad2fe40
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Tue Nov 1 20:51:26 2022 +0000
print_version(): Redirect stderr for "openssl" call
This redirects stderr message generated by missing config file,
specifically for LibreSSL.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Squashed commit of the following:
commit 4aada5ffcd8cff893618bbbfe24f589f33665352
Merge: 439cdc1 6f8ba1e
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Mon Oct 31 00:31:56 2022 +0000
Merge branch 'bugfix-number-only' of ssh://github.com/TinCanTech/easy-rsa into TinCanTech-bugfix-number-only
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
commit 6f8ba1e608d5223efa9dd296ed2c61418da991aa
Author: Richard T Bonhomme <tincantech@protonmail.com>
Date: Sun Oct 30 23:56:46 2022 +0000
Reset option flag check 'number_only' per option
Closes: #747
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
