forwarded 851059 https://github.com/OpenVPN/easy-rsa/issues/159 tags 851059 + fixed-upstream patch thanks
Hi there,
On Wed, 11 Jan 2017 21:54:38 +0100, Yvan Masson wrote:
> easy-rsa currently does not provide openssl configuration file for the
> openssl version available in testing (1.1.*).
Upstream has already fixed this, but only in the 3.x branch.
Nevertheless, there are differences once the fixed file has been
reordered to match 1.0.0 one (files used to check attached as well).
However, IMHO all of such differences are not related to the OpenSSL
version, but to *default settings*, thus they should be treated
separately.
My proposed patch is the following, after having move openssl-1.0.0.cnf
to openssl-1.x.0.cnf:
--8<---------------cut here---------------start------------->8---
--- whichopensslcnf 2017-12-15 00:06:42.984954153 +0100
+++ whichopensslcnf 2017-12-15 00:06:25.552581087 +0100
@@ -7,8 +7,8 @@
cnf="$1/openssl-0.9.6.cnf"
elif $OPENSSL version | grep -E "0\.9\.8[[:alnum:]]?" > /dev/null; then
cnf="$1/openssl-0.9.8.cnf"
- elif $OPENSSL version | grep -E "1\.0\.[[:digit:]][[:alnum:]]?" >
/dev/null; then
- cnf="$1/openssl-1.0.0.cnf"
+ elif $OPENSSL version | grep -E "1\.[01]\.[[:digit:]][[:alnum:]]?" >
/dev/null; then
+ cnf="$1/openssl-1.x.0.cnf"
else
cnf="$1/openssl.cnf"
fi
--8<---------------cut here---------------end--------------->8---
I can confirm that with the above easy-rsa works with
openssl_1.1.0f-3+deb9u1 to generate all the basic files (DH, CA, server
and one client).
PLEASE NOTE THAT I AM NO SSL EXPERT, so the above patch (and generated
keys) should be audited at least once before distribution in the
official Debian package.
Thx, bye,
Gismo / Luca
# For use with Easy-RSA 3.0 and OpenSSL 1.0.* RANDFILE = $ENV::EASYRSA_PKI/.rnd #################################################################### [ ca ] default_ca = CA_default # The default ca section #################################################################### [ CA_default ] dir = $ENV::EASYRSA_PKI # Where everything is kept certs = $dir # Where the issued certs are kept crl_dir = $dir # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/certs_by_serial # default place for new certs. certificate = $dir/ca.crt # The CA certificate serial = $dir/serial # The current serial number crl = $dir/crl.pem # The current CRL private_key = $dir/private/ca.key # The private key RANDFILE = $dir/.rand # private random number file x509_extensions = basic_exts # The extentions to add to the cert # This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA # is designed for will. In return, we get the Issuer attached to CRLs. crl_extensions = crl_ext default_days = $ENV::EASYRSA_CERT_EXPIRE # how long to certify for default_crl_days= $ENV::EASYRSA_CRL_DAYS # how long before next CRL default_md = $ENV::EASYRSA_DIGEST # use public key default MD preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look # For type CA, the listed attributes must be the same, and the optional # and supplied fields are just that :-) policy = policy_anything # For the 'anything' policy, which defines allowed DN fields [ policy_anything ] countryName = optional stateOrProvinceName = optional localityName = optional organizationName = optional organizationalUnitName = optional commonName = supplied name = optional emailAddress = optional #################################################################### # Easy-RSA request handling # We key off $DN_MODE to determine how to format the DN [ req ] default_bits = $ENV::EASYRSA_KEY_SIZE default_keyfile = privkey.pem default_md = $ENV::EASYRSA_DIGEST distinguished_name = $ENV::EASYRSA_DN x509_extensions = easyrsa_ca # The extentions to add to the self signed cert # A placeholder to handle the $EXTRA_EXTS feature: #%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support requires it #################################################################### # Easy-RSA DN (Subject) handling # Easy-RSA DN for org support: [ org ] countryName = Country Name (2 letter code) countryName_default = $ENV::EASYRSA_REQ_COUNTRY countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE localityName = Locality Name (eg, city) localityName_default = $ENV::EASYRSA_REQ_CITY 0.organizationName = Organization Name (eg, company) 0.organizationName_default = $ENV::EASYRSA_REQ_ORG organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = $ENV::EASYRSA_REQ_OU commonName = Common Name (eg: your user, host, or server name) commonName_max = 64 commonName_default = $ENV::EASYRSA_REQ_CN emailAddress = Email Address emailAddress_default = $ENV::EASYRSA_REQ_EMAIL emailAddress_max = 64 # Easy-RSA DN for cn_only support: [ cn_only ] commonName = Common Name (eg: your user, host, or server name) commonName_max = 64 commonName_default = $ENV::EASYRSA_REQ_CN #################################################################### # Easy-RSA cert extension handling # This section is effectively unused as the main script sets extensions # dynamically. This core section is left to support the odd usecase where # a user calls openssl directly. [ basic_exts ] basicConstraints = CA:FALSE subjectKeyIdentifier = hash authorityKeyIdentifier = keyid,issuer:always # The Easy-RSA CA extensions [ easyrsa_ca ] # PKIX recommendations: subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer:always # This could be marked critical, but it's nice to support reading by any # broken clients who attempt to do so. basicConstraints = CA:true # Limit key usage to CA tasks. If you really want to use the generated pair as # a self-signed cert, comment this out. keyUsage = cRLSign, keyCertSign # nsCertType omitted by default. Let's try to let the deprecated stuff die. # nsCertType = sslCA # CRL extensions. [ crl_ext ] # Only issuerAltName and authorityKeyIdentifier make any sense in a CRL. # issuerAltName=issuer:copy authorityKeyIdentifier=keyid:always,issuer:always
--- openssl-easyrsa.cnf 2017-12-14 23:37:00.718627177 +0100 +++ openssl-easyrsa.cnf.reordered-1.0.0 2017-12-14 23:43:41.827280226 +0100 @@ -64,12 +64,6 @@ #################################################################### # Easy-RSA DN (Subject) handling -# Easy-RSA DN for cn_only support: -[ cn_only ] -commonName = Common Name (eg: your user, host, or server name) -commonName_max = 64 -commonName_default = $ENV::EASYRSA_REQ_CN - # Easy-RSA DN for org support: [ org ] countryName = Country Name (2 letter code) @@ -97,6 +91,12 @@ emailAddress_default = $ENV::EASYRSA_REQ_EMAIL emailAddress_max = 64 +# Easy-RSA DN for cn_only support: +[ cn_only ] +commonName = Common Name (eg: your user, host, or server name) +commonName_max = 64 +commonName_default = $ENV::EASYRSA_REQ_CN + #################################################################### # Easy-RSA cert extension handling
signature.asc
Description: PGP signature
