Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Introduce OpenSSL only mode: No Safe SSL Config File #800

Merged
merged 1 commit into from
Dec 6, 2022
Merged

Introduce OpenSSL only mode: No Safe SSL Config File #800

merged 1 commit into from
Dec 6, 2022

Conversation

TinCanTech
Copy link
Collaborator

Global option '--no-safe-ssl' disables generating a safe SSL config file.

The default is to always generate a safe SSL config file.

Can be used by OpenSSL ONLY.

Signed-off-by: Richard T Bonhomme [email protected]

@TinCanTech
Introduce OpenSSL only mode: No Safe SSL Config File
c5d4016 
Global option '--no-safe-ssl' disables generating a safe SSL config file.

The default is to always generate a safe SSL config file.

Can be used by OpenSSL ONLY.

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech self-assigned this Dec 5, 2022
@TinCanTech TinCanTech added this to the v3.1.2 - Probably milestone Dec 5, 2022
@TinCanTech
Copy link
Collaborator Author

Supersedes #774

@TinCanTech TinCanTech mentioned this pull request Dec 5, 2022
Closed
@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Dec 5, 2022
edited
Loading

The unit test does not currently test this mode ..

I have tested this locally.

It is also a useful debug tool.

Not adding to ChangeLog.

Unit test log snippet:

tct@home $ time \
EASYRSA_DEBUG=1 SAVE_PKI=1 IGNORE_TEMP=1 \
EASYRSA_NO_SAFE_SSL=1 EASYRSA_KEEP_TEMP=utt \
easyrsa-unit-tests.sh -v

easyrsa-unit-tests.sh version: 3.1.2
easyrsa-unit-tests.sh source:  
easyrsa source:                easyrsa

* EASYRSA_OPENSSL:
  openssl (env)
  OpenSSL 1.1.1f  31 Mar 2020
SSL config: 
OpenSSL 1.1.1f  31 Mar 2020

* Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020

* Using Easy-RSA configuration: /home/tct/git/easy-rsa/test/installed/test D/vars

* The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>
EasyRSA Version Information
Version:     ~VER~
Generated:   ~DATE~
SSL Lib:     OpenSSL 1.1.1f  31 Mar 2020
Git Commit:  ~GITHEAD~
Source Repo: https://github.com/OpenVPN/easy-rsa
* debug enabled
Host: dev | nix | Linux | /bin/bash
GJS_DEBUG_TOPICS=JS ERROR;JS LOG
LESSOPEN=| /usr/bin/lesspipe %s
LANGUAGE=en_GB:en
USER=tct
EASYRSA=/home/tct/git/easy-rsa/test/installed/test D
XDG_SEAT=seat0
EASYRSA_REQ_OU=tct @ $&$
SAVE_PKI=1
SSH_AGENT_PID=967400
XDG_SESSION_TYPE=x11
[email protected]
SHLVL=1
EASYRSA_CA_EXPIRE=1
EASYRSA_EC_DIR=/home/tct/git/easy-rsa/test/installed/test D/pki/ecparams
HOME=/home/tct
OLDPWD=/home/tct/git/easy-rsa/test/installed/test D/hooz
DESKTOP_SESSION=cinnamon
GTK_MODULES=gail:atk-bridge
XDG_SEAT_PATH=/org/freedesktop/DisplayManager/Seat0
EASYRSA_DN=org
CINNAMON_VERSION=4.6.7
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
COLORTERM=truecolor
LIBVIRT_DEFAULT_URI=qemu:///system
INSIDE_NEMO_PYTHON=
EASYRSA_REQ_COUNTRY=00
EASYRSA_PKI=/home/tct/git/easy-rsa/test/installed/test D/pki
QT_QPA_PLATFORMTHEME=qt5ct
EASYRSA_KEEP_TEMP=utt
LOGNAME=tct
_=/usr/local/sbin/easyrsa-unit-tests.sh
XDG_SESSION_CLASS=user
TERM=xterm-256color
GTK_OVERLAY_SCROLLING=1
XDG_SESSION_ID=c4
EASYRSA_CURVE=secp384r1
GNOME_DESKTOP_SESSION_ID=this-is-deprecated
EASYRSA_CERT_EXPIRE=365
EASYRSA_FIX_OFFSET=162
EASYRSA_CRL_DAYS=180
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
SESSION_MANAGER=local/home:@/tmp/.ICE-unix/967329,unix/home:/tmp/.ICE-unix/967329
GDM_LANG=en_GB
EASYRSA_CERT_RENEW=529
EASYRSA_OPENSSL=openssl
XDG_SESSION_PATH=/org/freedesktop/DisplayManager/Session1
GNOME_TERMINAL_SCREEN=/org/gnome/Terminal/screen/73059784_f889_414a_9e7c_9663e8e89ebf
XDG_RUNTIME_DIR=/run/user/1000
DISPLAY=:0
EASYRSA_TEMP_DIR=/home/tct/git/easy-rsa/test/installed/test D/pki
EASYRSA_REQ_CN=ChangeMe
LANG=en_GB.UTF-8
XDG_CURRENT_DESKTOP=X-Cinnamon
EASYRSA_REQ_PROVINCE=home
XDG_SESSION_DESKTOP=cinnamon
XAUTHORITY=/home/tct/.Xauthority
LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc=01;31:*.arj=01;31:*.taz=01;31:*.lha=01;31:*.lz4=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.tzo=01;31:*.t7z=01;31:*.zip=01;31:*.z=01;31:*.dz=01;31:*.gz=01;31:*.lrz=01;31:*.lz=01;31:*.lzo=01;31:*.xz=01;31:*.zst=01;31:*.tzst=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.alz=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.cab=01;31:*.wim=01;31:*.swm=01;31:*.dwm=01;31:*.esd=01;31:*.jpg=01;35:*.jpeg=01;35:*.mjpg=01;35:*.mjpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.m4a=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.oga=00;36:*.opus=00;36:*.spx=00;36:*.xspf=00;36:
GNOME_TERMINAL_SERVICE=:1.384
SSH_AUTH_SOCK=/run/user/1000/keyring/ssh
XDG_GREETER_DATA_DIR=/var/lib/lightdm-data/tct
EASYRSA_NS_COMMENT=Easy-RSA (~VER~) Generated Certificate
EASYRSA_SSL_CONF=/home/tct/git/easy-rsa/test/installed/test D/pki/openssl-easyrsa.cnf
EASYRSA_DEBUG=1
SHELL=/bin/bash
QT_ACCESSIBILITY=1
GDMSESSION=cinnamon
LESSCLOSE=/usr/bin/lesspipe %s %s
EASYRSA_NS_SUPPORT=no
EASYRSA_KDC_REALM=CHANGEME.EXAMPLE.COM
GPG_AGENT_INFO=/run/user/1000/gnupg/S.gpg-agent:0:1
GJS_DEBUG_OUTPUT=stderr
XDG_VTNR=7
EASYRSA_REQ_ORG=tct
EASYRSA_SAFE_CONF=/home/tct/git/easy-rsa/test/installed/test D/pki/safessl-easyrsa.cnf
EASYRSA_EXT_DIR=/usr/local/share/easy-rsa/x509-types
PWD=/home/tct/git/easy-rsa/test/installed/test D
XDG_CONFIG_DIRS=/etc/xdg/xdg-cinnamon:/etc/xdg
XDG_DATA_DIRS=/usr/share/cinnamon:/usr/share/gnome:/home/tct/.local/share/flatpak/exports/share:/var/lib/flatpak/exports/share:/usr/local/share:/usr/share
EASYRSA_REQ_CITY=wiscii glaß
IGNORE_TEMP=1
EASYRSA_NO_SAFE_SSL=1
VTE_VERSION=6003
EASYRSA_INLINE=1
EASYRSA_ALGO=rsa
EASYRSA_KEY_SIZE=1024
EASYRSA_DIGEST=sha256
Temp session preserved: /home/tct/git/easy-rsa/test/installed/test D/pki/tmp/utt

Setup ........................ ok
>>>>> >>>>> Begin easyrsa rsa tests

* EASYRSA_OPENSSL:
  openssl (env)
  OpenSSL 1.1.1f  31 Mar 2020

rsa: init-pki .. ok
 - rsa: build-ca .. ok

< BIG snipetty-snip >

    - ed: show-crl .. ok
    - cat index.txt .. ok
<<<<< <<<<< End easyrsa ed tests
easyrsa-unit-tests.sh version: 3.1.2
easyrsa-unit-tests.sh source:  
easyrsa source:                easyrsa

* EASYRSA_OPENSSL:
  openssl (env)
  OpenSSL 1.1.1f  31 Mar 2020
SSL config: 
OpenSSL 1.1.1f  31 Mar 2020
EasyRSA Version Information
Version:     ~VER~
Generated:   ~DATE~
SSL Lib:     OpenSSL 1.1.1f  31 Mar 2020
Git Commit:  ~GITHEAD~
Source Repo: https://github.com/OpenVPN/easy-rsa
* debug enabled



Unit-test: cleanup
Saving temp dir: SAVE_PKI=1
Completed Mon  5 Dec 20:58:34 GMT 2022 (Total errors: 0)

real	1m29.741s
user	1m3.623s
sys	0m27.020s

@TinCanTech
Copy link
Collaborator Author

Part-of: #749

@TinCanTech TinCanTech merged commit f3b2f60 into OpenVPN:master Dec 6, 2022
@TinCanTech TinCanTech deleted the no-safe-ssl-mode branch December 8, 2022 01:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@TinCanTech TinCanTech

Labels
Applicable to v3.0.x PRs welcome development Possible changes EasyRSA-OpenSSL-Config feedback welcome LibreSSL Major Changes Changes between Major 3.X version numbers - X is Major openssl Version 3.1.x
Projects
None yet
Milestone
v3.1.2 - 13.1.2023
Development

Successfully merging this pull request may close these issues.
1 participant
@TinCanTech