From patchwork Thu Apr 18 21:36:53 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michael Tremer <michael.tremer@ipfire.org>
X-Patchwork-Id: 7742
Return-Path: <development-bounces@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4VLB1p5J9Pz3wwD
	for <patchwork@web04.haj.ipfire.org>; Thu, 18 Apr 2024 21:37:02 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4VLB1l0Fk9z369;
	Thu, 18 Apr 2024 21:36:59 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [127.0.0.1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4VLB1k6Pdwz32fy;
	Thu, 18 Apr 2024 21:36:58 +0000 (UTC)
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4VLB1h2YsRz32fy
	for <development@lists.ipfire.org>; Thu, 18 Apr 2024 21:36:56 +0000 (UTC)
Received: from michael.haj.ipfire.org (michael.haj.ipfire.org [172.28.1.242])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1)
	 client-signature ECDSA (secp384r1))
	(Client CN "michael.haj.ipfire.org", Issuer "R3" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4VLB1g4wqmz15d;
	Thu, 18 Apr 2024 21:36:55 +0000 (UTC)
Received: by michael.haj.ipfire.org (Postfix, from userid 0)
	id 4VLB1g2rkYzTgNC; Thu, 18 Apr 2024 21:36:55 +0000 (UTC)
From: Michael Tremer <michael.tremer@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH 2/3] OpenVPN: Move the OpenSSL configuration file out of
 /var/ipfire
Date: Thu, 18 Apr 2024 21:36:53 +0000
Message-Id: <20240418213654.3321580-2-michael.tremer@ipfire.org>
X-Mailer: git-send-email 2.39.2
In-Reply-To: <20240418213654.3321580-1-michael.tremer@ipfire.org>
References: <20240418213654.3321580-1-michael.tremer@ipfire.org>
MIME-Version: 1.0
Message-ID-Hash: 5ZZ5RVCOPQCVNQFNW3L3S5PVXABRBEU7
X-Message-ID-Hash: 5ZZ5RVCOPQCVNQFNW3L3S5PVXABRBEU7
X-MailFrom: root@michael.haj.ipfire.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; nonmember-moderation; administrivia;
 implicit-dest; max-recipients; max-size; news-moderation; no-subject;
 digests; suspicious-header
CC: Michael Tremer <michael.tremer@ipfire.org>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: IPFire development talk <development.lists.ipfire.org>
Archived-At: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/message/5ZZ5RVCOPQCVNQFNW3L3S5PVXABRBEU7/>
List-Archive: 
 <https://lists.ipfire.org/hyperkitty/list/development@lists.ipfire.org/>
List-Help: <mailto:development-request@lists.ipfire.org?subject=help>
List-Owner: <mailto:development-owner@lists.ipfire.org>
List-Post: <mailto:development@lists.ipfire.org>
List-Subscribe: <mailto:development-join@lists.ipfire.org>
List-Unsubscribe: <mailto:development-leave@lists.ipfire.org>

We should not have any configuration files that we share in this place,
therefore this patch is moving it into /usr/share/openvpn where we
should be able to update it without any issues.

Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
---
 config/rootfiles/common/openvpn | 2 +-
 html/cgi-bin/ovpnmain.cgi       | 2 +-
 lfs/openvpn                     | 6 ++++++
 3 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/config/rootfiles/common/openvpn b/config/rootfiles/common/openvpn
index d9848a579..c0d49bfad 100644
--- a/config/rootfiles/common/openvpn
+++ b/config/rootfiles/common/openvpn
@@ -25,6 +25,7 @@ usr/sbin/openvpn-authenticator
 #usr/share/doc/openvpn/openvpn.8.html
 #usr/share/man/man5/openvpn-examples.5
 #usr/share/man/man8/openvpn.8
+usr/share/openvpn/openssl.cnf
 var/ipfire/ovpn/ca
 var/ipfire/ovpn/caconfig
 var/ipfire/ovpn/ccd
@@ -35,7 +36,6 @@ var/ipfire/ovpn/certs/serial
 var/ipfire/ovpn/crls
 var/ipfire/ovpn/n2nconf
 #var/ipfire/ovpn/openssl
-var/ipfire/ovpn/openssl/ovpn.cnf
 var/ipfire/ovpn/openvpn-authenticator
 var/ipfire/ovpn/ovpn-leases.db
 var/ipfire/ovpn/ovpnconfig
diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 9b8ff5aa5..ed80fef7d 100755
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -54,7 +54,7 @@ my %mainsettings = ();
 &General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color);
 
 # Use a custom OpenSSL configuration file for all operations
-$ENV["OPENSSL_CONF"] = "${General::swroot}/ovpn/ca/cacert.pem";
+$ENV["OPENSSL_CONF"] = "/usr/share/openvpn/openssl.cnf";
 
 ###
 ### Initialize variables
diff --git a/lfs/openvpn b/lfs/openvpn
index b71b4ccc9..0704aa438 100644
--- a/lfs/openvpn
+++ b/lfs/openvpn
@@ -101,6 +101,12 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
 	chown root:root /etc/fcron.daily/openvpn-crl-updater
 	chmod 750 /etc/fcron.daily/openvpn-crl-updater
 
+	# Move the OpenSSL configuration file out of /var/ipfire
+	mkdir -pv /usr/share/openvpn
+	mv -v /var/ipfire/ovpn/openssl/ovpn.cnf \
+		/usr/share/openvpn/
+	rmdir -v /usr/share/openvpn
+
 	# Install authenticator
 	install -v -m 755 $(DIR_SRC)/config/ovpn/openvpn-authenticator \
 		/usr/sbin/openvpn-authenticator