[2/2] ovpnmain.cgi: Fixes Bug#13117 - adds legacy option to openssl commands for cert & key extraction
Commit Message
- Any insecure connections made with openssl-3.x can have the cert and key extracted but
if the insecure connection was made from prior to CU175 Testing then it used
openssl-1.1.1 which causes an error under openssl-3.x due to the old version being able
to accept older ciphers no longer accepted by openssl-3.x
- Adding the -legacy option to the openssl commands enables openssl-3.x to successfully
open them and extract the cert and key
- Successfully tested on a vm system. Confirmed that the downloaded version under
openssl-3.x worked exactly the same as the version downloaded under openssl-1.1.1
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
html/cgi-bin/ovpnmain.cgi | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
mode change 100644 => 100755 html/cgi-bin/ovpnmain.cgi
old mode 100644
new mode 100755
@@ -2227,7 +2227,7 @@ else
# Extract the certificate
# This system call is safe, because all arguments are passed as an array.
- system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
+ system('/usr/bin/openssl', 'pkcs12', '-legacy', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
'-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:');
if ($?) {
die "openssl error: $?";
@@ -2238,7 +2238,7 @@ else
# Extract the key
# This system call is safe, because all arguments are passed as an array.
- system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
+ system('/usr/bin/openssl', 'pkcs12', '-legacy', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12",
'-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:');
if ($?) {
die "openssl error: $?";