From patchwork Tue Apr 1 18:07:57 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 8591 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature RSA-PSS (4096 bits)) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4ZRwwH4bqTz3xTF for ; Tue, 1 Apr 2025 18:08:15 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "E5" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4ZRwwC4zZ9z5Hj for ; Tue, 1 Apr 2025 18:08:11 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4ZRwwB4yTSz33C0 for ; Tue, 1 Apr 2025 18:08:10 +0000 (UTC) X-Original-To: development@lists.ipfire.org Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mail01.haj.ipfire.org", Issuer "R10" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4ZRww75K9dz2xLw for ; Tue, 1 Apr 2025 18:08:07 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4ZRww64zgpzCD; Tue, 1 Apr 2025 18:08:06 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1743530886; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=IbG3B1zda7+UiG7DYfFSpsmmJThCH5WA07bvWeSPBVY=; b=5b52F2jx8oqbaiUe3C1infpBBlZ2mQJbMAIFKbtZpr3GMkeBdM+22Gyica0coptNKk7FXn 9V4qZZ9H26/84eCw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1743530886; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=IbG3B1zda7+UiG7DYfFSpsmmJThCH5WA07bvWeSPBVY=; b=V06xtajSjROuxYfBOqrFSGqibPQsrFDID+2TREItjGFN6l4LUMgTKQnX7afWvVLJuUwTv/ pgWv7SUVgp4YQ1lq1w28yUkDaYgB2okhA8SAOL3OUA24KJJvGSVhqAnAam8Nb3ttSeyZs6 jb0V61Gwh9EgwJ1SG0KZWlF89sUnxa2VIyRYu8cwiEFgF4vI8X2ozdF+5abI/dWcjUX7K2 STAyPf6T4gpuRpVkH4vptK8VS07s1aQzJu/2fKq2mFocY194+8zepwETtNZ1UnNV/lZSSV Jcsx24JwKW6mzu7GinpNehO/zaw89kDX2Qu348HyDN52a16G0+ot48eZGxd3Ig== From: Adolf Belka To: development@lists.ipfire.org Cc: Adolf Belka Subject: [PATCH 1/6] vpnmain.cgi: Fixes bug13737 - remove unneeded &cleanssldatabase calls Date: Tue, 1 Apr 2025 20:07:57 +0200 Message-ID: <20250401180802.19784-1-adolf.belka@ipfire.org> Precedence: list List-Id: List-Subscribe: , List-Unsubscribe: , List-Post: List-Help: Sender: Mail-Followup-To: MIME-Version: 1.0 - This first part removes all usages of &cleanssldatabase with the client certificates. This is not needed here. If used then the serial number would be moved back to 01 when an existing client certificate is removged or a new one created, even if no errors occurred. - The usage of &cleanssldatabase has also been removed from the root/host cert creation if it was successful, otherwise the index file is moved back to being empty and the serial file to containing 01. - The only usage now of the &cleanssldatabase is for when the root/host cert set is being created or if an uploaded cert has been checked as good to install. - This now means that each time a new client certificate is created the serial number is incremented. - The removal of the x509 root/host cert also unlinks all .pem files in the certs directory and therefore also all the 01.pem, 02.pem etc files so the &cleanssldatabase routine no longer needs to unlink the 01.pem file - The &newcleanssldatabase script is no longer needed, as the &cleanssldatabase commands used covers the required cleaning, so it has been removed. - This patch together with the others from this set have been tested out on my vm system and I was able to create a new root/host cert set and then new client certs and make an ipsec certificate connection successfully. I could then renew the host cert and the client connection still worked. Fixes: bug13737 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- html/cgi-bin/vpnmain.cgi | 30 +----------------------------- 1 file changed, 1 insertion(+), 29 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index e30506fdf..85119a81d 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -2,7 +2,7 @@ ############################################################################### # # # IPFire.org - A linux based firewall # -# Copyright (C) 2007-2022 IPFire Team # +# Copyright (C) 2007-2025 IPFire Team # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # @@ -200,27 +200,6 @@ sub cleanssldatabase { unlink ("${General::swroot}/certs/index.txt.old"); unlink ("${General::swroot}/certs/index.txt.attr.old"); unlink ("${General::swroot}/certs/serial.old"); - unlink ("${General::swroot}/certs/01.pem"); -} -sub newcleanssldatabase { - if (! -s "${General::swroot}/certs/serial" ) { - open(FILE, ">${General::swroot}/certs/serial"); - print FILE "01"; - close FILE; - } - if (! -s ">${General::swroot}/certs/index.txt") { - open(FILE, ">${General::swroot}/certs/index.txt"); - close(FILE); - } - if (! -s ">${General::swroot}/certs/index.txt.attr") { - open(FILE, ">${General::swroot}/certs/index.txt.attr"); - print FILE "unique_subject = yes"; - close(FILE); - } - unlink ("${General::swroot}/certs/index.txt.old"); - unlink ("${General::swroot}/certs/index.txt.attr.old"); - unlink ("${General::swroot}/certs/serial.old"); -# unlink ("${General::swroot}/certs/01.pem"); numbering evolves. Wrong place to delete } ### @@ -889,8 +868,6 @@ END } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'generate root/host certificates'} || $cgiparams{'ACTION'} eq $Lang::tr{'upload p12 file'}) { - &newcleanssldatabase(); - if (-f "${General::swroot}/ca/cacert.pem") { $errormessage = $Lang::tr{'valid root certificate already exists'}; goto ROOTCERT_SKIP; @@ -1004,7 +981,6 @@ END # IPFire can only import certificates &General::log("charon", "p12 import completed!"); - &cleanssldatabase(); goto ROOTCERT_SUCCESS; } elsif ($cgiparams{'ROOTCERT_COUNTRY'} ne '') { @@ -1170,7 +1146,6 @@ END # Successfully build CA / CERT! if (!$errormessage) { - &cleanssldatabase(); goto ROOTCERT_SUCCESS; } @@ -1933,11 +1908,9 @@ END if ( $errormessage = &callssl ($opt) ) { unlink ($filename); unlink ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); - &cleanssldatabase(); goto VPNCONF_ERROR; } else { unlink ($filename); - &cleanssldatabase(); } $cgiparams{'CERT_NAME'} = getCNfromcert ("${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"); @@ -2220,7 +2193,6 @@ END } else { unlink ($v3extname); unlink ("${General::swroot}/certs/$cgiparams{'NAME'}req.pem"); - &cleanssldatabase(); } # Create the pkcs12 file