Introduce temporary golbal option: --old-safe-ssl

This forces using the old 'sed' expansion of 'openssl-easyrsa.cnf' and forces expansion of the SSL config for LibreSSL. This is temporary because the intention is to remove the old 'sed' expansion method, in favor of heredoc expansion. Signed-off-by: Richard T Bonhomme <[email protected]>
OpenVPN · Jan 20, 2024 · c057be7 · c057be7
1 parent daf31b8
commit c057be7
Showing 1 changed file with 9 additions and 2 deletions.
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
@@ -563,6 +563,8 @@ General options:
                   (Default config file is in the EasyRSA PKI directory)
 --force-safe-ssl: Always generate a safe SSL config file
                   (Default: Generate Safe SSL config once per instance)
+--old-safe-ssl:   Always generate a safe SSL config file
+                  As --force-safe-ssl but use 'sed' expansion.
 
 --tmp-dir=DIR   : Declare the temporary directory
                   (Default temporary directory is the EasyRSA PKI directory)
@@ -985,7 +987,7 @@ escape_hazard() {
 	fi
 
 	# Only use if old 'sed' version is requested
-	if [ "$EASYRSA_SAFE_CNF_SED" ]; then
+	if [ "$EASYRSA_LEGACY_SAFE_SSL" ]; then
 		: # ok
 	else
 		verbose "escape_hazard: REPLACED by heredoc expansion"
@@ -1057,7 +1059,7 @@ easyrsa_mktemp safe_ssl_cnf_tmp"
 	# Rewrite
 	# Only use if old 'sed' version is requested
 	# shellcheck disable=SC2016 # No expand '' - expand_ssl_config()
-	if [ "$EASYRSA_SAFE_CNF_SED" ]; then
+	if [ "$EASYRSA_LEGACY_SAFE_SSL" ]; then
 		if sed \
 \
 -e s\`'$dir'\`\
@@ -6316,6 +6318,11 @@ while :; do
 		empty_ok=1
 		export EASYRSA_FORCE_SAFE_SSL=1
 		;;
+	--old-safe-ssl)
+		empty_ok=1
+		export EASYRSA_FORCE_SAFE_SSL=1
+		export EASYRSA_LEGACY_SAFE_SSL=1
+		;;
 	--nopass|--no-pass)
 		empty_ok=1
 		export EASYRSA_NO_PASS=1