From patchwork Tue Feb  3 19:55:52 2026
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Stefan Schantl <stefan.schantl@ipfire.org>
X-Patchwork-Id: 9480
Return-Path: <development+bounces-1676-patchwork=ipfire.org@lists.ipfire.org>
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature ECDSA (secp384r1 raw public key)
 server-digest SHA384
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK))
	by web04.haj.ipfire.org (Postfix) with ESMTPS id 4f5DnG6zLfz3wmj
	for <patchwork@web04.haj.ipfire.org>; Tue, 03 Feb 2026 19:58:26 +0000 (UTC)
Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519)
	(Client CN "mail02.haj.ipfire.org", Issuer "E8" (verified OK))
	by mail01.ipfire.org (Postfix) with ESMTPS id 4f5DnG25FHz5XW
	for <patchwork@ipfire.org>; Tue, 03 Feb 2026 19:58:26 +0000 (UTC)
Received: from mail02.haj.ipfire.org (localhost [IPv6:::1])
	by mail02.haj.ipfire.org (Postfix) with ESMTP id 4f5DnG1KF8z332Z
	for <patchwork@ipfire.org>; Tue, 03 Feb 2026 19:58:26 +0000 (UTC)
X-Original-To: development@lists.ipfire.org
Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature ECDSA (secp384r1 raw public key)
 server-digest SHA384
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mail01.haj.ipfire.org", Issuer "R12" (verified OK))
	by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4f5DnC3hY2z2xLt
	for <development@lists.ipfire.org>; Tue, 03 Feb 2026 19:58:23 +0000 (UTC)
Received: from [127.0.0.1] (localhost [127.0.0.1])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange x25519 server-signature RSA-PSS (4096 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mail01.ipfire.org (Postfix) with ESMTPSA id 4f5Dn95s0nz2sJ;
	Tue, 03 Feb 2026 19:58:21 +0000 (UTC)
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org;
	s=202003ed25519; t=1770148702;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=zC3kV+qHe1857gUXFUmJ8QUkmik3wceQAfsp9rgics4=;
	b=EpEBCUDQSYuBITPttfCMUFqFsWlQldvMX1lzjwfBaPKq0k8NRr62HYWr2eqzsstniw40eq
	ISEDfilNkcVixKCw==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org;
 s=202003rsa;
	t=1770148702;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:
	 content-transfer-encoding:content-transfer-encoding;
	bh=zC3kV+qHe1857gUXFUmJ8QUkmik3wceQAfsp9rgics4=;
	b=B6kC6nsiV5d+ZZepVNHlSEolkg9DR7DPa4LqPuYh2jt5I335vPxn++v7P6oIHO9kx9H5DM
	MgQd5gBsp33ur22trEIPKZ5/VPiMeMZW3UoRDsAyNKI7tHw+On/CPUG0NPkCbYG4nfdV+/
	etlsRQpNJKlfo5wAljiIjyY/F3CqSD0tevR0OdrM908QBlT8A/HSjd7PpkrjN17oFTo1TJ
	IhYi2ek+xPqTyP+4KBU85Fdh0ZhuGpoWFKjeRggdI2KpdL0In1+IUDjh9SDPiJqMtUJl2V
	tPnGcunK1WAisRpJA8jn/vzk/cM3CPujpGtltBzCAs695+cfknJcPNU+GloanA==
From: Stefan Schantl <stefan.schantl@ipfire.org>
To: development@lists.ipfire.org
Cc: Stefan Schantl <stefan.schantl@ipfire.org>
Subject: [PATCH] ovpnmain.cgi: Re-implement iscertlegacy function
Date: Tue,  3 Feb 2026 20:55:52 +0100
Message-ID: <20260203195552.11485-1-stefan.schantl@ipfire.org>
Precedence: list
List-Id: <development.lists.ipfire.org>
List-Subscribe: <https://lists.ipfire.org/>,
 <mailto:development+subscribe@lists.ipfire.org?subject=subscribe>
List-Unsubscribe: <https://lists.ipfire.org/>,
 <mailto:development+unsubscribe@lists.ipfire.org?subject=unsubscribe>
List-Post: <mailto:development@lists.ipfire.org>
List-Help: <mailto:development+help@lists.ipfire.org?subject=help>
Sender: <development@lists.ipfire.org>
Mail-Followup-To: <development@lists.ipfire.org>
MIME-Version: 1.0

Re-implement the iscertlegacy function to proper detect any kind
of legacy certificate by using the openssl legacy switch.

Fixes #13936

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 html/cgi-bin/ovpnmain.cgi | 30 +++++++++++++++++++++++++-----
 1 file changed, 25 insertions(+), 5 deletions(-)

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index e53bd6e28..af716c7d5 100644
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -143,12 +143,32 @@ my $col="";
 sub iscertlegacy
 {
 	my $file=$_[0];
-	my @certinfo = &General::system_output("/usr/bin/openssl", "pkcs12", "-info", "-nodes",
+	my @openssl_cmd = ("/usr/bin/openssl", "pkcs12", "-info", "-nodes",
 	"-in", "$file.p12", "-noout", "-passin", "pass:''");
-	if (index ($certinfo[0], "MAC: sha1") != -1) {
-		return 1;
-	}
-	return 0;
+	my $ret;
+
+	# Execute the openssl command.
+	$ret = &General::safe_system(@openssl_cmd);
+
+	# Early exit if the openssl return code is zero and we do not have a
+	# lecacy certificate.
+	return 0 if ($ret eq "0");
+
+	# In case we got an return code of one, retry with enabled legacy option.
+	#
+	# Add option to enable legacy ciphers to the openssl command.
+	push(@openssl_cmd, "-legacy");
+
+	# Re-execute the openssl command with legacy option.
+	$ret = &General::safe_system(@openssl_cmd);
+
+	# Exit and return 1 if the return code of the openssl command is zero
+	# with enabled legay option, which indicates a legacy certificate.
+	return 1 if ($ret eq "0");
+
+	# If we got here, the openssl command was not able to detect
+	# which kind of certificate is used.
+	return undef;
 }
 
 sub is_cert_rfc3280_compliant($) {