-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Replace use of sed
with heredoc
expansion
#1064
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This replaces use of 'sed' to expand the SSL config file for LibreSSL use. Currently, the SSL config file is copied unexpanded from the heredoc to the openssl-easyrsa.cnf file. 'sed' is used to expand the '$ENV::EASYRSA_var' to the configured EasyRSA values. This change replaces use of 'sed' with expanding the 'ssl-cnf' heredoc. The expansion of the heredoc can be configured to expand the original values of, eg: $ENV::EASYRSA_PKI to $EASYRSA_PKI, or be set to expand the values to the originial text of the file. eg: $ENV::EASYRSA_PKI will expand to the same text string: '$ENV::EASYRSA_PKI'. This allows expanding the SSL config heredoc to either: * Unexpanded OpenSSL labels. * Fully expanded safe values, configured by Easy-RSA. The unexpanded output can be varified against the known heredoc hash within the script: 82439f1860838e28f6270d5d06b1771756db777861e19bf9edc21222f86a310d To confirm this hash, use: 'easyrsa write ssl-cnf | openssl dgst' The expanded 'write safe-cnf' has all OpenSSL labels expanded. Signed-off-by: Richard T Bonhomme <[email protected]>
This replaces command 'easyrsa_openssl makesafeconf' with new heredoc expansion. Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech
added
LibreSSL
EasyRSA-OpenSSL-Config
development
Possible changes
improvement
labels
Jan 15, 2024
Currently, command 'write' must allow at least one level of recursion. This check guards against infinite recursion. Signed-off-by: Richard T Bonhomme <[email protected]>
This replaces use of: * 'sed' for expanding openssl-easyrsa.cnf * 'sed' for sanitizing Distinguished Name fields .. by using heredoc expansion of the built-in openssl-easyrsa.cnf Signed-off-by: Richard T Bonhomme <[email protected]>
93b28ad shaves off almost 10 seconds from each unit test. |
TinCanTech
changed the title
Safe ssl cnf via hdoc
Replace use of Jan 16, 2024
sed
with heredoc
expansion
Signed-off-by: Richard T Bonhomme <[email protected]>
Signed-off-by: Richard T Bonhomme <[email protected]>
Signed-off-by: Richard T Bonhomme <[email protected]>
This forces using the old 'sed' expansion of 'openssl-easyrsa.cnf' and forces expansion of the SSL config for LibreSSL. This is temporary because the intention is to remove the old 'sed' expansion method, in favor of heredoc expansion. Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech
force-pushed
the
safe-ssl-cnf-via-hdoc
branch
from
January 20, 2024 03:16
c057be7
to
6714a21
Compare
Signed-off-by: Richard T Bonhomme <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
sed
is used to expandopenssl-easyrsa.cnf
and to sanitize thevars
file organisation fields when configured for use.Currently, the original behavior can be restored by setting
EASYRSA_SAFE_CNF_SED=1
in the environment. There is no command option at this time but there probably will be, soon.