From 25b7485de5dfed9db79476ac1206eeb1fea247d6 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 26 Oct 2025 18:39:16 +0000 Subject: [PATCH 1/4] verify_ssl_lib(): libressl, export EASYRSA_FORCE_SAFE_SSL=1 Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 1 + 1 file changed, 1 insertion(+) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index d8cdbbb08..ef5b84050 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1286,6 +1286,7 @@ verify_ssl_lib() { LibreSSL) ssl_lib=libressl ssl_cnf_type=safe-cnf + export EASYRSA_FORCE_SAFE_SSL=1 ;; *) error_msg="$("$EASYRSA_OPENSSL" version 2>&1)" From 59ce9f362222ab7077bc46e9d9a1c53da6c364e0 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 26 Oct 2025 18:51:03 +0000 Subject: [PATCH 2/4] verify_ssl_lib(), easyrsa_openssl(): Remove ALL use of $ssl_cnf_type Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index ef5b84050..29740ff8b 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1220,7 +1220,7 @@ easyrsa_openssl() { [ -f "$EASYRSA_SSL_CONF" ] || \ die "easyrsa_openssl - Missing EASYRSA_SSL_CONF" - if [ "$ssl_cnf_type" = safe-cnf ] || [ "$EASYRSA_FORCE_SAFE_SSL" ]; then + if [ "$EASYRSA_FORCE_SAFE_SSL" ]; then final_safe_ssl_cnf= easyrsa_mktemp final_safe_ssl_cnf @@ -1276,16 +1276,9 @@ verify_ssl_lib() { case "${val%% *}" in OpenSSL) ssl_lib=openssl - # Honor EASYRSA_FORCE_SAFE_SSL - if [ "$EASYRSA_FORCE_SAFE_SSL" ]; then - ssl_cnf_type=safe-cnf - else - ssl_cnf_type=ssl-cnf - fi ;; LibreSSL) ssl_lib=libressl - ssl_cnf_type=safe-cnf export EASYRSA_FORCE_SAFE_SSL=1 ;; *) From bd98e647e6a197a3a30310278fc53cdff86496ce Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 26 Oct 2025 20:46:20 +0000 Subject: [PATCH 3/4] verify_ssl_lib(): Rename $ssl_lib to $ssl_lib_name; Effects ssl_cert_x509v3_eku() Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 29740ff8b..a8f86f6f4 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1275,10 +1275,10 @@ verify_ssl_lib() { # SSL lib name case "${val%% *}" in OpenSSL) - ssl_lib=openssl + ssl_lib_name=openssl ;; LibreSSL) - ssl_lib=libressl + ssl_lib_name=libressl export EASYRSA_FORCE_SAFE_SSL=1 ;; *) @@ -1299,7 +1299,7 @@ $error_msg" 1) no_password='-nodes' ;; 2) no_password='-nodes' ;; 3|4) - case "$ssl_lib" in + case "$ssl_lib_name" in openssl) openssl_v3=1 no_password='-noenc' @@ -1307,7 +1307,7 @@ $error_msg" libressl) no_password='-nodes' ;; - *) die "Unexpected SSL library: $ssl_lib" + *) die "Unexpected SSL library: $ssl_lib_name" esac ;; *) die "Unexpected SSL version: $osslv_major" @@ -5230,7 +5230,7 @@ ssl_cert_x509v3_eku() { ceku_known= # Extract certificate Extended Key Usage - if [ "$ssl_lib" = libressl ]; then + if [ "$ssl_lib_name" = libressl ]; then ceku_eku="$( "$EASYRSA_OPENSSL" x509 -in "$ceku_crt" -noout \ -text | \ From ffeececa4266a650e01cfee2e5c2953efc5835c5 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Mon, 27 Oct 2025 02:04:39 +0000 Subject: [PATCH 4/4] ChangeLog: Libressl: Use ONLY $EASYRSA_FORCE_SAFE_SSL Signed-off-by: Richard T Bonhomme --- ChangeLog | 1 + 1 file changed, 1 insertion(+) diff --git a/ChangeLog b/ChangeLog index c7390fe0e..a32e00e67 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog 3.2.5 (TBD) + * Libressl: Use ONLY $EASYRSA_FORCE_SAFE_SSL (25b7485) (#1402) * select_x509_type_tmp(): This compliments select_ssl_cnf_tmp() (dc754e4) (#1401) * select_ssl_cnf_tmp(): Replace provide_EASYRSA_SSL_CONF_tmp() (538ad3d) (#1401) * inline_file(): Make unknown certificate type non-fatal (b2373e2) (#1399)