Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build-ca: Command 'req', remove SSL option '-keyout' #1124

Merged
merged 1 commit into from
Apr 18, 2024
Merged

build-ca: Command 'req', remove SSL option '-keyout' #1124

merged 1 commit into from
Apr 18, 2024

Conversation

TinCanTech
Copy link
Collaborator

OpenSSL command 'req', option '-keyout' behaves differently between OpenSSL v3.x verses v1.x

When the private key is encrypted:

  • v1.x ignores '-keyout' and does not create a new key.
  • v3.x creates a new key with different parameters to the original key.

v3.x creates the original key, encrypted by AES-256-CBC; then creates the unnecessary, secondary key, encrypted by DES-EDE3-CBC.

Because EasyRSA has already generated the private key, the 'req' command must not generate a secondary key.

@TinCanTech
build-ca: Command 'req', remove SSL option '-keyout'
73d8416 
OpenSSL command 'req', option '-keyout' behaves differently between OpenSSL
v3.x verses v1.x

When the private key is encrypted:
- v1.x ignores '-keyout' and does not create a new key.
- v3.x creates a new key with different parameters to the original key.

v3.x creates the original key, encrypted by AES-256-CBC; then creates
the unnecessary, secondary key, encrypted by DES-EDE3-CBC.

Because EasyRSA has already generated the private key, the 'req' command
must not generate a secondary key.

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech self-assigned this Apr 17, 2024
@TinCanTech TinCanTech added this to the v3.1.8 milestone Apr 17, 2024
@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Apr 17, 2024
edited
Loading

@ecrist This bug dates back to v3.0.9, which does not support OpenSSL v3.x, therefore, EasyRSA v3.0x is not effected by the problem.

All versions of EasyRSA v3.1x are effected.

I think this change is suitable for EasyRSA v3.1.8 and we should consider rolling a release for it.

If this is the only bug which comes to light for v3.1x then there is less need for a release.

@TinCanTech TinCanTech linked an issue Apr 17, 2024 that may be closed by this pull request
CA Private Key will be encrypted with des-ede3-cbc during build-ca with OpenSSL 3.x #1122
Open
@TinCanTech TinCanTech merged commit 19fb7f4 into OpenVPN:v3.1.8 Apr 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@TinCanTech TinCanTech

Labels
BUG-FIX Version 3.1.8
Projects
None yet
Milestone
v3.1.8
Development

Successfully merging this pull request may close these issues.

CA Private Key will be encrypted with des-ede3-cbc during build-ca with OpenSSL 3.x
1 participant
@TinCanTech