Skip to content

Replace local / global openssl-easyrsa.cnf #1394

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
TinCanTech merged 21 commits into from
Oct 3, 2025
Merged

Replace local / global openssl-easyrsa.cnf #1394

TinCanTech merged 21 commits into from
Oct 3, 2025

Conversation

@TinCanTech
Copy link
Collaborator

@TinCanTech TinCanTech commented Sep 27, 2025
edited
Loading

Previously, Easy-RSA would create a global safe SSL config file, which is
the existing or default openssl-easyrsa.cnf file with all environment
variables expanded to their values ALWAYS.

Then Easy-RSA would create a local SSL config file for specific commands
ONLY, which is the existing or default openssl-easyrsa.cnf file with
environment variables expanded to their values ONLY when required by
the SSL library or forced to by command line option --force-safe-ssl.

With these changes, Easy-RSA now does the following:

  1. Create a global safe SSL config file exactly as before and export it
    to $OPENSSL_CONF, for use by any SSL library. This file is specifically
    required by check_serial_unique(), which must have the Easy-RSA CA
    configured file.

  2. Use either an existing openssl-easyrsa.cnf file OR provide a default,
    unexpanded tmp-file, which is exported to $EASYRSA_SSL_CONF, for use
    ONLY by Easy-RSA. This must be unexpanded to allow $EASYRSA_REQ_CN to
    be configured by the Easy-RSA command in use (eg. sign-req) once the
    Easy-RSA command line has been fully parsed.

  3. When calling easyrsa_openssl(), for LibreSSL or --force-safe-ssl,
    expand the current $EASYRSA_SSL_CONF and export that to $OPENSSL_CONF,
    for use by the called SSL command. Otherwise, use the current, unexpanded
    file and export that.

In summary, the so-called 'local' (on-demand) SSL file has been replaced with
an ALWAYS provided or present openssl-easyrsa.cnf file, be that temporary or
packaged.

@TinCanTech
Improve and simplify verify_working_env()
80702d6 
Make pki/ca ckecks independent of other checks.

Make write functions dependent on presence of Temp-dir.

If openssl-easyrsa.cnf is missing then provide unexpanded here-doc copy.

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech
Introduce check_ssl_cnf_known_hash(): Check input file hash
b0728a5 
Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech
Introduce sed_expand_ssl_config(): Replacement for expand_ssl_config()
ceb54cb 
Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech
Introduce expand_safe_ssl_cnf(): Wrapper to fully expand SSL config
bc22ef6 
Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech
easyrsa_openssl(): Add final SSL config file safe expansion
e8d668b 
Final safe expansion will expand EASYRSA_SSL_CONF, as required by SSL library.

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech
escape_hazard(): Remove conditional execution
4fe517e 
Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech
check_ssl_cnf_known_hash() - correct error messages
dde7a2f 
Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech
easyrsa_openssl() - expand EASYRSA_SSL_CONF and export to OPENSSL_CON…
55b1a99 
…F v2 add 'else'

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech
easyrsa_openssl() - Remove local/global use of EASYRSA_SSL_CONF
8b61cd2 
Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech
Remove write_easyrsa_ssl_cnf_tmp() and usage (replaced by easyrsa_ope…
a5deb62 
…nssl() final expansion)

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech
Introduce and use provide_EASYRSA_SSL_CONF_tmp(), unexpanded openssl-…
faaa24d 
…easyrsa.cnf

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech
Remove expand_ssl_config(), unused
b31443d 
Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech self-assigned this Sep 27, 2025
@TinCanTech TinCanTech mentioned this pull request Sep 27, 2025
Closed
@TinCanTech TinCanTech linked an issue Sep 27, 2025 that may be closed by this pull request
OpenBSD/LibreSSL failure #1390
Closed
@TinCanTech TinCanTech linked an issue Sep 28, 2025 that may be closed by this pull request
init-pki must respect lock-file #1389
Closed
@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Oct 2, 2025
edited
Loading

This also passes manual and full unit test on OpenBSD with LibreSSL 4.1.0, including Edwards curve algorithm.

@TinCanTech TinCanTech mentioned this pull request Oct 2, 2025
Closed
@TinCanTech TinCanTech removed the development Possible changes label Oct 2, 2025
@TinCanTech TinCanTech added this to the v3.2.5 milestone Oct 3, 2025
@TinCanTech TinCanTech merged commit d706236 into OpenVPN:master Oct 3, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@TinCanTech TinCanTech

Labels

BUG-FIX LibreSSL

Projects

None yet

Milestone

v3.2.5

Development

Successfully merging this pull request may close these issues.

OpenBSD/LibreSSL failure init-pki must respect lock-file

1 participant

@TinCanTech