diff --git a/ChangeLog b/ChangeLog index c7390fe0e..a32e00e67 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog 3.2.5 (TBD) + * Libressl: Use ONLY $EASYRSA_FORCE_SAFE_SSL (25b7485) (#1402) * select_x509_type_tmp(): This compliments select_ssl_cnf_tmp() (dc754e4) (#1401) * select_ssl_cnf_tmp(): Replace provide_EASYRSA_SSL_CONF_tmp() (538ad3d) (#1401) * inline_file(): Make unknown certificate type non-fatal (b2373e2) (#1399) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index d8cdbbb08..a8f86f6f4 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1220,7 +1220,7 @@ easyrsa_openssl() { [ -f "$EASYRSA_SSL_CONF" ] || \ die "easyrsa_openssl - Missing EASYRSA_SSL_CONF" - if [ "$ssl_cnf_type" = safe-cnf ] || [ "$EASYRSA_FORCE_SAFE_SSL" ]; then + if [ "$EASYRSA_FORCE_SAFE_SSL" ]; then final_safe_ssl_cnf= easyrsa_mktemp final_safe_ssl_cnf @@ -1275,17 +1275,11 @@ verify_ssl_lib() { # SSL lib name case "${val%% *}" in OpenSSL) - ssl_lib=openssl - # Honor EASYRSA_FORCE_SAFE_SSL - if [ "$EASYRSA_FORCE_SAFE_SSL" ]; then - ssl_cnf_type=safe-cnf - else - ssl_cnf_type=ssl-cnf - fi + ssl_lib_name=openssl ;; LibreSSL) - ssl_lib=libressl - ssl_cnf_type=safe-cnf + ssl_lib_name=libressl + export EASYRSA_FORCE_SAFE_SSL=1 ;; *) error_msg="$("$EASYRSA_OPENSSL" version 2>&1)" @@ -1305,7 +1299,7 @@ $error_msg" 1) no_password='-nodes' ;; 2) no_password='-nodes' ;; 3|4) - case "$ssl_lib" in + case "$ssl_lib_name" in openssl) openssl_v3=1 no_password='-noenc' @@ -1313,7 +1307,7 @@ $error_msg" libressl) no_password='-nodes' ;; - *) die "Unexpected SSL library: $ssl_lib" + *) die "Unexpected SSL library: $ssl_lib_name" esac ;; *) die "Unexpected SSL version: $osslv_major" @@ -5236,7 +5230,7 @@ ssl_cert_x509v3_eku() { ceku_known= # Extract certificate Extended Key Usage - if [ "$ssl_lib" = libressl ]; then + if [ "$ssl_lib_name" = libressl ]; then ceku_eku="$( "$EASYRSA_OPENSSL" x509 -in "$ceku_crt" -noout \ -text | \