From patchwork Sat Jun 3 14:05:41 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 6924 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4QYM8x1FSmz3wlB for ; Sat, 3 Jun 2023 14:05:53 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4QYM8t72Mvz1Gd; Sat, 3 Jun 2023 14:05:50 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4QYM8t5DQjz2y3g; Sat, 3 Jun 2023 14:05:50 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384 client-signature ECDSA (P-384) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4QYM8r5cBfz2xGC for ; Sat, 3 Jun 2023 14:05:48 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4QYM8q26MSzQT; Sat, 3 Jun 2023 14:05:47 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1685801147; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=tgxLi5AlID8lDuA9zuV/RCYEI+McWY2GbSPjY0dCgIo=; b=S7XtlE2EKpc1CRUqCkr1elcwNVkejcLc3/CYiH1hvpPJQReh9KxqGlmrRMoI7lTScTxb2D UPU7riGfLX9L4ODg== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1685801147; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=tgxLi5AlID8lDuA9zuV/RCYEI+McWY2GbSPjY0dCgIo=; b=QSlEkK4b8QfSZQMWYgiAQm6buUTQhwALDv406mL8J3f/MMGSw7r1S9QahkMN8aSGciuPBt XcPSe/FH7IoDX/4niPEJpM2OjrJy97IiD3l+xpqokwKpcGijUBhc3yoygeJVMieNRojiJJ c2GjnNR829dEufR29Fwu3DgGiy8bgS8YgWXIAKV2+axofVqaDFy3zNPdopT3zxfwI/Homf gFS1INZwAHSC2f4WbbPoYhiL63CU6RiQKlSzDL9T5p8uX8uovJtTqcb1FtwYG8V3HUO1yd O+p6JSqN4ClKwf2jGa0wwiXhJ6ito0bCAVWFXcWE/qpcd6cbm4JlG/eo1DH4wA== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] vpnmain.cgi: Fixes bug#13138 - root/host certificate set fails to be created Date: Sat, 3 Jun 2023 16:05:41 +0200 Message-Id: <20230603140541.13834-1-adolf.belka@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - The change to openssl-3.x results in the openssl commands that start with ca failing with the error message OpenSSL produced an error:
40E7B4719B730000:error:0700006C:configuration file routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:315:group= name=unique_subject - The fix for this is to include the unique_subject = yes line into /var/ipfire/certs/index.txt.attr - Additionally, based on the learnings from bug#13137 on OpenVPN, any openssl commands dealing with pkcs12 (.p12) files that were created with openssl-1.1.1x fail when being accessed with openssl-3.x due to the no longer supported algorithm. These can be accessed if the -legacy option is added to every openssl command dealing with pkcs12 Fixes: Bug#13138 Tested-by: Adolf Belka Signed-off-by: Adolf Belka Reviewed-by: Michael Tremer --- html/cgi-bin/vpnmain.cgi | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi index 6c1fd4cf0..f2aeecdf9 100644 --- a/html/cgi-bin/vpnmain.cgi +++ b/html/cgi-bin/vpnmain.cgi @@ -193,7 +193,7 @@ sub cleanssldatabase { close FILE; } if (open(FILE, ">${General::swroot}/certs/index.txt.attr")) { - print FILE ""; + print FILE "unique_subject = yes"; close FILE; } unlink ("${General::swroot}/certs/index.txt.old"); @@ -213,6 +213,7 @@ sub newcleanssldatabase { } if (! -s ">${General::swroot}/certs/index.txt.attr") { open(FILE, ">${General::swroot}/certs/index.txt.attr"); + print FILE "unique_subject = yes"; close(FILE); } unlink ("${General::swroot}/certs/index.txt.old"); @@ -907,7 +908,7 @@ END # Extract the CA certificate from the file &General::log("ipsec", "Extracting caroot from p12..."); if (open(STDIN, "-|")) { - my $opt = " pkcs12 -cacerts -nokeys"; + my $opt = " pkcs12 -legacy -cacerts -nokeys"; $opt .= " -in $filename"; $opt .= " -out /tmp/newcacert"; $errormessage = &callssl ($opt); @@ -920,7 +921,7 @@ END if (!$errormessage) { &General::log("ipsec", "Extracting host cert from p12..."); if (open(STDIN, "-|")) { - my $opt = " pkcs12 -clcerts -nokeys"; + my $opt = " pkcs12 -legacy -clcerts -nokeys"; $opt .= " -in $filename"; $opt .= " -out /tmp/newhostcert"; $errormessage = &callssl ($opt); @@ -934,7 +935,7 @@ END if (!$errormessage) { &General::log("ipsec", "Extracting private key from p12..."); if (open(STDIN, "-|")) { - my $opt = " pkcs12 -nocerts -nodes"; + my $opt = " pkcs12 -legacy -nocerts -nodes"; $opt .= " -in $filename"; $opt .= " -out /tmp/newhostkey"; $errormessage = &callssl ($opt); @@ -1939,7 +1940,7 @@ END # Extract the CA certificate from the file &General::log("ipsec", "Extracting caroot from p12..."); if (open(STDIN, "-|")) { - my $opt = " pkcs12 -cacerts -nokeys"; + my $opt = " pkcs12 -legacy -cacerts -nokeys"; $opt .= " -in $filename"; $opt .= " -out /tmp/newcacert"; $errormessage = &callssl ($opt); @@ -1952,7 +1953,7 @@ END if (!$errormessage) { &General::log("ipsec", "Extracting host cert from p12..."); if (open(STDIN, "-|")) { - my $opt = " pkcs12 -clcerts -nokeys"; + my $opt = " pkcs12 -legacy -clcerts -nokeys"; $opt .= " -in $filename"; $opt .= " -out /tmp/newhostcert"; $errormessage = &callssl ($opt); @@ -2197,7 +2198,7 @@ END # Create the pkcs12 file &General::log("ipsec", "Packing a pkcs12 file..."); - $opt = " pkcs12 -export"; + $opt = " pkcs12 -legacy -export"; $opt .= " -inkey ${General::swroot}/certs/$cgiparams{'NAME'}key.pem"; $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem"; $opt .= " -name \"$cgiparams{'NAME'}\"";