Always use locate_support_files() after secure_session() #1270
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
easyrsa: Move locate_support_files() to the last command in verify_working_env(). This means that for single commands, locate_support_files() will find an existing 'openssl-easyrsa.cnf' file, after secure_session() has cleared '$EASYRSA_SSL_CONF' variable. For build_full(), use locate_support_files() after secure_session(), during the phase between gen_req() and sign_req(), when the secure session is recreated. easyrsa-tools.lib: In read_db(), set the same order as above, between each record. Signed-off-by: Richard T Bonhomme <[email protected]>
Signed-off-by: Richard T Bonhomme <[email protected]>
TinCanTech
force-pushed
the
bugfix-user-ssl-conf
branch
from
bd4e73c to
d693711
Compare
|
This fix does not honor |
|
The solution appears to be, an internal variable to track the changes made to Otherwise, some other insane scheme! |
Compound function build_full() calls gen_req() then sign_req(). However, between the two, $EASYRSA_SSL_CONF is set to a temp-file, which has now been deleted. This causes sign_req() to use a different SSL config file than that used by gen_req(). Also, '--ssl-conf' is ignored when secure_session() clears $EASYRSA_SSL_CONF. This change saves the original setting for $EASYRSA_SSL_CONF, which is then restored when remove_secure_session() is called. Also, secure_session() no longer clears $EASYRSA_SSL_CONF, preserving the setting of '--ssl-conf'. This mechanism also covers easyrsa-tools.lib:read_db(), which also resets the temporary session. This does not require updating easyrsa-tool.lib version (@v322). Signed-off-by: Richard T Bonhomme <[email protected]>
Signed-off-by: Richard T Bonhomme <[email protected]>
Retain --ssl-conf for backward cmpatibility Signed-off-by: Richard T Bonhomme <[email protected]>
Signed-off-by: Richard T Bonhomme <[email protected]>
To change a requested CN use option --new-subject not --req-cn. Option --req-cn is reserved for use with commamd 'gen-req'. Signed-off-by: Richard T Bonhomme <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
easyrsa:
Move locate_support_files() to the last command in verify_working_env(). This means that for single commands, locate_support_files() will find an existing 'openssl-easyrsa.cnf' file, after secure_session() has cleared '$EASYRSA_SSL_CONF' variable.
For build_full(), use locate_support_files() after secure_session(), during the phase between gen_req() and sign_req(), when the secure session is recreated.
easyrsa-tools.lib:
In read_db(), set the same order as above, between each record.
edit included in force push.