From patchwork Sun May 21 12:45:43 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 6897 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4QPL0k2Q39z3wlf for ; Sun, 21 May 2023 12:45:58 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4QPL0h4zsXzbW; Sun, 21 May 2023 12:45:56 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4QPL0h3VKpz2yhw; Sun, 21 May 2023 12:45:56 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4QPL0g1h01z2xbN for ; Sun, 21 May 2023 12:45:55 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4QPL0Z2q6gzbN; Sun, 21 May 2023 12:45:50 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1684673152; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=UZzuY2mVhaImvtWwor76GBLxyBsG9EuNPDMmyuI4arI=; b=nfP7KFNVsgcI1XgIjxUY1oFAG3gCK0eze+09efp0bOzANeGKQrLfY3qCVAjLi9zehxS4vk DHOlRfx/ZY8WZ7mSBQ/b2yKySPTNZSRFHCHOCKxGD+LDcDe1BI4xQlZKEbYFSOjL2Xd4w7 Slevo4hLQPyKoOT/mJpbDI32NLokxubcUJ/sW7qHVlxo3sAJtDjmGpqoQT6J+6JWescK4J hwKa0anQTa2yxsnrgdFWpLcVi2vs3OSWUMRBgYXQkJR3H/BbwEXedOleF4TVwYsQ22oKhj 3I7l8W8kwnc8xF0uXScZdnjFoJojUfW9MX5dAMKewxMufp54N8bF84n8WoUYqw== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1684673152; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=UZzuY2mVhaImvtWwor76GBLxyBsG9EuNPDMmyuI4arI=; b=tt3FCMBfaNPUaX1xoW8Nky2n8zpFbfwDlUSlSoLbFL+Gu4pssWXDWWiAXAaA4TjYQXRNkj 2zsWQxJS/rgVhADQ== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 1/2] openssl: Fix for Bug#13117 - adds legacy option in for openssl extraction of cert & key Date: Sun, 21 May 2023 14:45:43 +0200 Message-Id: <20230521124544.3457345-1-adolf.belka@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - OpenSSL-3.x gives an error when trying to open insecure .p12 files to extract the cert and key for the insecure package download option. - To make this work the -legacy option is needed in the openssl command, which requires the legacy.so library to be available. - Successfully tested on a vm system. - Patch set built on Master (CU175 Testing) Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- config/rootfiles/common/openssl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/rootfiles/common/openssl b/config/rootfiles/common/openssl index e29bc6dc1..44ae2cda9 100644 --- a/config/rootfiles/common/openssl +++ b/config/rootfiles/common/openssl @@ -160,7 +160,7 @@ usr/lib/libcrypto.so.3 usr/lib/libssl.so usr/lib/libssl.so.3 #usr/lib/ossl-modules -#usr/lib/ossl-modules/legacy.so +usr/lib/ossl-modules/legacy.so #usr/lib/pkgconfig/libcrypto.pc #usr/lib/pkgconfig/libssl.pc #usr/lib/pkgconfig/openssl.pc From patchwork Sun May 21 12:45:44 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 6898 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4QPL0l4fTmz3wlf for ; Sun, 21 May 2023 12:45:59 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4QPL0j0jy6z2q9; Sun, 21 May 2023 12:45:57 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4QPL0h4B9wz300t; Sun, 21 May 2023 12:45:56 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4QPL0g25l9z2ySr for ; Sun, 21 May 2023 12:45:55 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4QPL0g0DyMzbW; Sun, 21 May 2023 12:45:55 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1684673155; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ilGlx1YpcPesS/Dwe85Elqfh7PAUvSRt9/Zla3gHG74=; b=e978u099ohU5yY/AE/cqclSSiWzhT/g3IpRd1zTZvtpffdmeJTFmq7AP7P8uDUHSSnz+kb x6i4Rr8Uo+faSECg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1684673155; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=ilGlx1YpcPesS/Dwe85Elqfh7PAUvSRt9/Zla3gHG74=; b=GMHEDo2rNcSUBcft8n3dS5Ja/8bdLnwB62/XoSpYExyHhUb1sM7+TJo32LETBhKXOoOEla z3Frx3Hfe3+Wf0YBTx1ApmEYc+pvrJKL8QYYQx3aEVXx62DX+EWEvml3eYrDh1Yi1BZMEO jcZDFY8vhQtD3cew9UrR1IvYW6qn7/cJe6fS2ZHgVWiu51KNKbcs4HVMrltgF5O4S4YKCP +bZqm9pNzeCTzI5ucxiKKTGPnJZR0t20KiGNFIrym/6tjBlJFiNZ/0ys2LiIVVSrfq7gyx xWPY+qp8t4ENG9L3n0FSE3L/7yhUrS3kSO8t5d9y/JGbaagR+DMubumDibB5Hw== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH 2/2] ovpnmain.cgi: Fixes Bug#13117 - adds legacy option to openssl commands for cert & key extraction Date: Sun, 21 May 2023 14:45:44 +0200 Message-Id: <20230521124544.3457345-2-adolf.belka@ipfire.org> In-Reply-To: <20230521124544.3457345-1-adolf.belka@ipfire.org> References: <20230521124544.3457345-1-adolf.belka@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - Any insecure connections made with openssl-3.x can have the cert and key extracted but if the insecure connection was made from prior to CU175 Testing then it used openssl-1.1.1 which causes an error under openssl-3.x due to the old version being able to accept older ciphers no longer accepted by openssl-3.x - Adding the -legacy option to the openssl commands enables openssl-3.x to successfully open them and extract the cert and key - Successfully tested on a vm system. Confirmed that the downloaded version under openssl-3.x worked exactly the same as the version downloaded under openssl-1.1.1 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- html/cgi-bin/ovpnmain.cgi | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) mode change 100644 => 100755 html/cgi-bin/ovpnmain.cgi diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi old mode 100644 new mode 100755 index 50ad21e79..5b0accf3f --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -2227,7 +2227,7 @@ else # Extract the certificate # This system call is safe, because all arguments are passed as an array. - system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", + system('/usr/bin/openssl', 'pkcs12', '-legacy', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:'); if ($?) { die "openssl error: $?"; @@ -2238,7 +2238,7 @@ else # Extract the key # This system call is safe, because all arguments are passed as an array. - system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", + system('/usr/bin/openssl', 'pkcs12', '-legacy', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:'); if ($?) { die "openssl error: $?";