forwarded 851059 https://github.com/OpenVPN/easy-rsa/issues/159
tags 851059 + fixed-upstream patch
thanks
Hi there,
On Wed, 11 Jan 2017 21:54:38 +0100, Yvan Masson wrote:
> easy-rsa currently does not provide openssl configuration file for the
> openssl version available in testing (1.1.*).
Upstream has already fixed this, but only in the 3.x branch.
Nevertheless, there are differences once the fixed file has been
reordered to match 1.0.0 one (files used to check attached as well).
However, IMHO all of such differences are not related to the OpenSSL
version, but to *default settings*, thus they should be treated
separately.
My proposed patch is the following, after having move openssl-1.0.0.cnf
to openssl-1.x.0.cnf:
--8<---cut here---start->8---
--- whichopensslcnf 2017-12-15 00:06:42.984954153 +0100
+++ whichopensslcnf 2017-12-15 00:06:25.552581087 +0100
@@ -7,8 +7,8 @@
cnf="$1/openssl-0.9.6.cnf"
elif $OPENSSL version | grep -E "0\.9\.8[[:alnum:]]?" > /dev/null; then
cnf="$1/openssl-0.9.8.cnf"
-elif $OPENSSL version | grep -E "1\.0\.[[:digit:]][[:alnum:]]?" >
/dev/null; then
-cnf="$1/openssl-1.0.0.cnf"
+elif $OPENSSL version | grep -E "1\.[01]\.[[:digit:]][[:alnum:]]?" >
/dev/null; then
+cnf="$1/openssl-1.x.0.cnf"
else
cnf="$1/openssl.cnf"
fi
--8<---cut here---end--->8---
I can confirm that with the above easy-rsa works with
openssl_1.1.0f-3+deb9u1 to generate all the basic files (DH, CA, server
and one client).
PLEASE NOTE THAT I AM NO SSL EXPERT, so the above patch (and generated
keys) should be audited at least once before distribution in the
official Debian package.
Thx, bye,
Gismo / Luca
# For use with Easy-RSA 3.0 and OpenSSL 1.0.*
RANDFILE= $ENV::EASYRSA_PKI/.rnd
[ ca ]
default_ca = CA_default# The default ca section
[ CA_default ]
dir = $ENV::EASYRSA_PKI # Where everything is kept
certs = $dir # Where the issued certs are kept
crl_dir = $dir # Where the issued crl are kept
database= $dir/index.txt# database index file.
new_certs_dir = $dir/certs_by_serial # default place for new certs.
certificate = $dir/ca.crt # The CA certificate
serial = $dir/serial # The current serial number
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/ca.key # The private key
RANDFILE= $dir/.rand# private random number file
x509_extensions = basic_exts# The extentions to add to the cert
# This allows a V2 CRL. Ancient browsers don't like it, but anything Easy-RSA
# is designed for will. In return, we get the Issuer attached to CRLs.
crl_extensions = crl_ext
default_days= $ENV::EASYRSA_CERT_EXPIRE # how long to certify for
default_crl_days= $ENV::EASYRSA_CRL_DAYS# how long before next CRL
default_md = $ENV::EASYRSA_DIGEST # use public key default MD
preserve= no# keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_anything
# For the 'anything' policy, which defines allowed DN fields
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName= optional
organizationName= optional
organizationalUnitName = optional
commonName = supplied
name= optional
emailAddress= optional
# Easy-RSA request handling
# We key off $DN_MODE to determine how to format the DN
[ req ]
default_bits= $ENV::EASYRSA_KEY_SIZE
default_keyfile = privkey.pem
default_md = $ENV::EASYRSA_DIGEST
distinguished_name = $ENV::EASYRSA_DN
x509_extensions = easyrsa_ca# The extentions to add to the self
signed cert
# A placeholder to handle the $EXTRA_EXTS feature:
#%EXTRA_EXTS% # Do NOT remove or change this line as $EXTRA_EXTS support
requires it
# Easy-RSA DN (Subject) handling
# Easy-RSA DN for org support:
[ org ]
countryName = Country Name (2 letter code)
countryName_default = $ENV::EASYRSA_REQ_COUNTRY
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = $ENV::EASYRSA_REQ_PROVINCE
localityName= Locality Name (eg,