diff mbox series

[1/3] ovpnmain.cgi: Define OpenSSL configuration globally

Message ID 20240418213654.3321580-1-michael.tremer@ipfire.org
State New
Headers
Series [1/3] ovpnmain.cgi: Define OpenSSL configuration globally |

Commit Message

Michael Tremer April 18, 2024, 9:36 p.m. UTC 
  This makes commands shorter and therefore easier to read.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 30 +++++++++++++-----------------
 1 file changed, 13 insertions(+), 17 deletions(-)
diff mbox series

Patch

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index c92d0237d..9b8ff5aa5 100755
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -53,6 +53,9 @@  my %mainsettings = ();
 &General::readhash("${General::swroot}/main/settings", \%mainsettings);
 &General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color);
 
+# Use a custom OpenSSL configuration file for all operations
+$ENV["OPENSSL_CONF"] = "${General::swroot}/ovpn/ca/cacert.pem";
+
 ###
 ### Initialize variables
 ###
@@ -1835,8 +1838,7 @@  END
 	    unless (exec ('/usr/bin/openssl', 'req', '-x509', '-nodes',
 			'-days', '999999', '-newkey', 'rsa:4096', '-sha512',
 			'-keyout', "${General::swroot}/ovpn/ca/cakey.pem",
-			'-out', "${General::swroot}/ovpn/ca/cacert.pem",
-			'-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
+			'-out', "${General::swroot}/ovpn/ca/cacert.pem")) {
 		$errormessage = "$Lang::tr{'cant start openssl'}: $!";
 		goto ROOTCERT_ERROR;
 	    }
@@ -1867,8 +1869,7 @@  END
 			'-newkey', 'rsa:4096',
 			'-keyout', "${General::swroot}/ovpn/certs/serverkey.pem",
 			'-out', "${General::swroot}/ovpn/certs/serverreq.pem",
-			'-extensions', 'server',
-			'-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" )) {
+			'-extensions', 'server')) {
 		$errormessage = "$Lang::tr{'cant start openssl'}: $!";
 		unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
 		unlink ("${General::swroot}/ovpn/certs/serverreq.pem");
@@ -1884,8 +1885,7 @@  END
 		'-batch', '-notext',
 		'-in',  "${General::swroot}/ovpn/certs/serverreq.pem",
 		'-out', "${General::swroot}/ovpn/certs/servercert.pem",
-		'-extensions', 'server',
-		'-config', "${General::swroot}/ovpn/openssl/ovpn.cnf");
+		'-extensions', 'server');
 	if ($?) {
 	    $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
 	    unlink ("${General::swroot}/ovpn/ca/cakey.pem");
@@ -1903,8 +1903,7 @@  END
 	# Create an empty CRL
 	# System call is safe, because all arguments are passed as array.
 	system('/usr/bin/openssl', 'ca', '-gencrl',
-		'-out', "${General::swroot}/ovpn/crls/cacrl.pem",
-		'-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" );
+		'-out', "${General::swroot}/ovpn/crls/cacrl.pem");
 	if ($?) {
 	    $errormessage = "$Lang::tr{'openssl produced an error'}: $?";
 	    unlink ("${General::swroot}/ovpn/certs/serverkey.pem");
@@ -2426,8 +2425,8 @@  else
 
 	if ($confighash{$cgiparams{'KEY'}}) {
 		# Revoke certificate if certificate was deleted and rewrite the CRL
-		&General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
-		&General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
+		&General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
+		&General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem");
 
 ###
 # m.a.d net2net
@@ -2480,7 +2479,7 @@  else
 		&General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]");
 
 		delete $confighash{$cgiparams{'KEY'}};
-		&General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf");
+		&General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem");
 		&General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash);
 
 	} else {
@@ -4052,8 +4051,7 @@  if ($cgiparams{'TYPE'} eq 'net') {
 	    system('/usr/bin/openssl', 'ca', '-days', "$cgiparams{'DAYS_VALID'}",
 		'-batch', '-notext',
 		'-in', $filename,
-		'-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
-		'-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
+		'-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
 	    if ($?) {
 		$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
 		unlink ($filename);
@@ -4265,8 +4263,7 @@  if ($cgiparams{'TYPE'} eq 'net') {
 		unless (exec ('/usr/bin/openssl', 'req', '-nodes',
 			'-newkey', 'rsa:4096',
 			'-keyout', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
-			'-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
-			'-config',"${General::swroot}/ovpn/openssl/ovpn.cnf")) {
+			'-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem")) {
 		    $errormessage = "$Lang::tr{'cant start openssl'}: $!";
 		    unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");
 		    unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem");
@@ -4279,8 +4276,7 @@  if ($cgiparams{'TYPE'} eq 'net') {
 	    system('/usr/bin/openssl', 'ca', '-days', "$cgiparams{'DAYS_VALID'}",
 		'-batch', '-notext',
 		'-in',  "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem",
-		'-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
-		'-config',"${General::swroot}/ovpn/openssl/ovpn.cnf");
+		'-out', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem");
 	    if ($?) {
 		$errormessage = "$Lang::tr{'openssl produced an error'}: $?";
 		unlink ("${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem");