Using OpenSSL 3.0.7, packaged by OpenVPN Windows installer, causes
EasyRSA command 'build-ca' to fail, because it does not have an input
password to re-open the private key, which is required to generate
the CA certificate.
Provide the user specified CA passphrase as input password for build-ca.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
When using set_var() with a variable as in input for name of the variable,
use this wrapper to verify the input is suitable as a variable name.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Command show-expire:
Improve report outut to show 'expired: <date>' for expired certificates.
Otherwise, show 'expires: <date>' for currently Valid certicates.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Some commands must capture the SSL output via a subshell.
eg: ssl_cert_serial() and ssl_cert_not_before/after_date()
To use easyrsa_openssl() for these commands, EASYRSA_DEBUG must be disabled.
This patch unsets EASYRSA_DEBUG in the function subshells only.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Always assign the easyrsa_openssl() temp-file before escape_hazard().
In the event of failure, easyrsa_openssl() will try first.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Global option '--no-safe-ssl' disables generating a safe SSL config file.
The default is to always generate a safe SSL config file.
Can be used by OpenSSL ONLY.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
fn_ is preferable to f_
This is to simulate 'local', which was not POSIX, until recently.
Baseline: Windows sh.exe
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
Use replaced in display_san() and display_dn().
verify_file(): Return status of SSL command.
Wrap long lines x4.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
LibreSSL Always probes the file assigned by environment variable OPENSSL_CONF.
Default can be found via command 'openssl version -d'
EasyRSA MUST provide a suitable "safe" SSL config file to LibreSSL.
Therefore, all SSL calls made by EasyRSA SHOULD go via easyrsa_openssl(),
which can be forced to ALWAYS build a "safe" SSL config file.
By always building a "safe" SSL config file, EasyRSA can always configure
the default value for OPENSSL_CONF.
This patch changes easyrsa_openssl(), to force generation of a safe SSL
config on EVERY use and set OPENSSL_CONF to the same.
Calls to easyrsa_openssl() ALWAYS generate a safe SSL config file, however,
that config file is only called via SSL option '-config' when the command
requires an SSL config file. (As by original design)
The environment variable OPENSSL_CONF always points to the EasyRSA "safe" SSL
config file, although the SSL command may not support the '-config' option.
The fundemental changes made here are, easyrsa_openssl():
- ALWAYS creates a "safe" SSL config file, although it may not be required.
- ALWAYS assigns SSL env-var OPENSSL_CONF to the above "safe" SSL config file.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
The code being removed was used to always build a safe SSL config file
during 'init-pki' and before running most other commands. The reason
for this code was because LibreSSL throws an error for missing config
file when generating random numbers.
The first part of the change here is to redirect LibreSSL error-out to
'/dev/null', when generating random numbers, and only capture the random
number that is generated.
The second part is to remove all the code that built a safe SSL config
file prior to running all commands, so that a safe SSL config was always
present in the PKI. This is no longer required.
The third part is to improve and document command 'make-safe-ssl'.
The final result is that 'easyrsa_openssl()' is used as required, to
build a safe SSL config file on demand, as was the original design.
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
