From patchwork Mon Feb 19 14:16:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 7556 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384 client-signature ECDSA (secp384r1) client-digest SHA384) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4Tdl305qHZz3wlw for ; Mon, 19 Feb 2024 14:16:44 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4Tdl2y4Yfdz84; Mon, 19 Feb 2024 14:16:42 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4Tdl2y3Fv6z32h2; Mon, 19 Feb 2024 14:16:42 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) client-signature ECDSA (secp384r1)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4Tdl2v4bz8z2xZC for ; Mon, 19 Feb 2024 14:16:39 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4Tdl2t6xWSz3B; Mon, 19 Feb 2024 14:16:38 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1708352199; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=DgpmiH8Oh4t1VQUsano4bGzkJ/IfqdUIDpr80rlCXLI=; b=jBNKrRD2aklGCnSFqQLP8V8U56KL6W5YgyvHmEOLDMitzy3Iv+09xs55zsy02pAbLndhN6 1yjtcB6LEY58IDAw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1708352199; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=DgpmiH8Oh4t1VQUsano4bGzkJ/IfqdUIDpr80rlCXLI=; b=SdXhJECv5S8aDhO5CE2X3yvcTrmIRCVZMcnqzeIPawwrBgWmKjpi6uIDwndTg/REKTMSP4 OfHhvPTXOIxZJEq+gycTn7onxcr9IoX8hnI1tqeiaqSQnqfoAinWzg5r5KzEvR3WmMv5yG VDAHerXcIkSyFZkpFmq/kDiMOhz98WC7UsRgQ5XNyYTMnwO73FRG4TyXizGtPwyFP6O7qf vpgnH4mNxC2FPv4AU2teqt5MWaf5M5YqncVDJFmKkhuwXPHbKS4F/HDnduDY2jXpfSMPMb LvqKpvuRAXQaIJN7fpgB5NxhE5PeLBexJc03kPP5NQTERY4LCSswxFhVrO3TFg== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] ovpn.cnf: Removal of SKID & AKID from server section - Fixes Bug#13595 Date: Mon, 19 Feb 2024 15:16:32 +0100 Message-ID: <20240219141632.14939-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Message-ID-Hash: OXHTDWMHAK2UZSB2B5SL2LOXEYVBIG43 X-Message-ID-Hash: OXHTDWMHAK2UZSB2B5SL2LOXEYVBIG43 X-MailFrom: adolf.belka@ipfire.org X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.8 Precedence: list List-Id: IPFire development talk Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: - The update to openssl-3.2.x introduced a bug fix which now gives an error if the subjectKeyIdentifier (SKID) or authorityKeyIdentifier (AKID) is in the x509 extensions for a CSR. - See the following discssion in the openssl github issues https://github.com/openssl/openssl/issues/22966#issuecomment-1858396738 - The SKID & AKID should never have been specified in the CSR but due to a bug they were never flagged with an error, just ignored. Since the bug fix for that bug was put into OpenSSL-3.2.0 the prescence of the SKID & AKID in the CSR causes an error to be flagged. - The consequence of this is that in CU183 trying to create a new x509 root/host certificate gives an error when the CSR is generated so only the root certificate is created and not the host certificate. - Tested out the removal of the SKID & AKID lines from the [ server ] section of the ovpn.cnf file and the root/host certificate set was created without any issue. - Then tested the creation of a RW client connection and that worked with no problems. Also creating a fresh N2N connection worked without any problems. - Also tested restoring from an earlier backup. The RW and N2N connections worked without issues with the AKID and SKID missing from the [ server ] section. - It would be good if this could be merged into CU184 for final testing. Fixes: Bug#13595 Tested-by: Adolf Belka Signed-off-by: Adolf Belka --- config/ovpn/openssl/ovpn.cnf | 3 --- 1 file changed, 3 deletions(-) diff --git a/config/ovpn/openssl/ovpn.cnf b/config/ovpn/openssl/ovpn.cnf index 96c3dcb09..bfa7ad744 100644 --- a/config/ovpn/openssl/ovpn.cnf +++ b/config/ovpn/openssl/ovpn.cnf @@ -79,13 +79,10 @@ extendedKeyUsage = clientAuth keyUsage = digitalSignature [ server ] - # JY ADDED -- Make a cert with nsCertType set to "server" basicConstraints = CA:FALSE nsCertType = server nsComment = "OpenSSL Generated Server Certificate" -subjectKeyIdentifier = hash -authorityKeyIdentifier = keyid,issuer:always extendedKeyUsage = serverAuth keyUsage = digitalSignature, keyEncipherment