subject:"\[Openvpn\-devel\] \[PATCH\] Add new openssl.cnf to easy\-rsa\/Windows"

Re: [Openvpn-devel] [PATCH] Add new openssl.cnf to easy-rsa/Windows

2011-06-22 Thread Samuli Seppänen

Hi,

A new Windows installer based on release/2.2 branch with my easy-rsa
patches applied is now available here:



Also, a standalone version of fixed easy-rsa directory is available here:



It can be extracted to an existing OpenVPN 2.2* install directory - just
move old easy-rsa directory out of the way first. If you can, please
test that it works as excepted. Basic usage on WinXP seemed to work fine:

$ init-config
$ vars
$ clean-all
$ build-ca
$ build-key-server
$ build-key client1

If possible, please test "domake-win" builds and see if/how they break.
This is probably the most important fix for 2.2.1 which we hope to get
out on Friday. Use of easy-rsa is documented in the included README file
and here:



Samuli







> Hi all,
>
> I falsely assumed openssl.cnf was a default file from OpenSSL release
> packages, even though it was heavily modified for easy-rsa. The root
> cause of the issue seems to be that OpenSSL 1.0.0 does not like
> undefined variables in openssl.cnf.  I fixed the Windows side today,
> and a preliminary patch is available here:
>
> 
>
> This patch applies on top of "Fix a build-ca issue on Windows" in
> "master" and fixes Trac ticket #125. A few other things still need
> fixing :
>
> - Lack of file called "easy-rsa/2.0/openssl.cnf"  will probably break
> "domake-win" builds - or at least easy-rsa on installers generated
> with it.
> - openssl-1.0.0.cnf has not yet been tested on *NIX
> - changes to "easy-rsa/2.0/vars" script have not been tested
>
> The added environment variables should not have negative side-effects.
> I'll test Windows installer generation tomorrow to make sure easy-rsa
> works out of the box on Windows. Help with *NIX+OpenSSL 1.0.0 and
> "domake-win" would be appreciated.
>
> Samuli
>> On 20/06/11 12:30, Jan Just Keijser wrote:
>> [...snip...]
>> >> Samuli, can you please look closer into this?  I did a more
>> careful diff
>> >> from 2.0/openssl.cnf and Windows/openssl.cnf ... and it seems quite
>> >> different.  Can we please unite them?
>> >>
>> >> JJK: Do you know which differences are needed between Windows and
>> >> non-Windows?
>> >>
>> >>   
>> > I just checked that the openssl.cnf file shipped with the windows
>> version
>> > of  openvpn 2.1.4 is identical to the easy-rsa/2.0 version - is
>> there any
>> > reason not to do the same for openvpn 2.2?
>>
>>
>> Good question!
>>
>> Samuli, what do you think?  Could we actually just move the
>> 2.0/openssl.cnf
>> to a common directory where the installers will pick this config
>> file?  To
>> have the same file in more places in the source tree sounds chaotic
>> for me,
>> especially when 2.1.4 uses the same file everywhere.
>>
>> I'd suggest ./easy-rsa as a good common base.
>>
>> I'm also wondering if we need to still carry easy-rsa/1.0 in the source
>> tree.  It looks rather dead ...
>>
>> $ git log --follow --oneline ./easy-rsa/1.0/
>> 3c7f2f5 version 2.1_beta1
>>
>> Compared to this:
>>
>> $ git log --follow --oneline ./easy-rsa/2.0/
>> 6dc6019 pkitool lacks expected option "--help"
>> 2d4e768 bash->bourne script cleanup
>> 564a210 Updated copyright date to 2010.
>> 9f4725e pkitool lacks expected option "--help"
>> d7fa38f Update copyright to 2009.
>> 2534aa4 Fixed revoke-full to deal with issue arising from addition ...
>> dbec0a2 Modified pkitool to allow flexibility in separating the Com...
>> d56dec6 Change to pkitool/openssl.cnf so that calling scripts can s...
>> 367ed08 Copyright notice changed to reflect change in name of Telet...
>> 1c0cc4a Copyright change OpenVPN Solutions LLC -> Telethra, Inc.
>> eca8691 Updated copyright notice to 2008.
>> 4d90d73 Updated version & changelog.
>> d4fb6d4 Set tool defaults in pkitool.
>> eba4632 Added note about alternative version of easy-rsa that suppo...
>> 8d54351 Clean up configure on FreeBSD for recent autotool versions ...
>> acb567c A few more updates: -r 1015:1025 https://svn.openvpn.net/pr...
>> a8105c6 Merged PKCS#11 extensions to easy-rsa/2.0  (Alon Bar-Lev). ...
>> 513baee Small fixes: * Fixed variable declaration in crypto.c that ...
>> 411e89a Merged --remote-cert-ku, --remote-cert-eku, and --remote-ce...
>> 8810c26 Moved easy-rsa 2.0 scripts to easy-rsa/2.0 to be compatible...
>>
>> $ git log --follow --oneline ./easy-rsa/Windows/
>> 54c739e Revert "Add new openssl.cnf to easy-rsa/Windows"
>> 663860a Add new openssl.cnf to easy-rsa/Windows
>> 3810843 Fix a build-ca issue on Windows
>> 6b2883a Change all CRLF linefeeds to LF linefeeds
>> d0b4271 In Windows build, package a statically linked openssl.exe t...
>> 4030142 The easy-rsa directory installed by the windows installer c...
>> 6fbf66f This is the start of the BETA21 branch. It includes the --t...
>>
>>
>> kind regards,
>>

Re: [Openvpn-devel] [PATCH] Add new openssl.cnf to easy-rsa/Windows

2011-06-21 Thread Samuli Seppänen

Hi all,

I falsely assumed openssl.cnf was a default file from OpenSSL release
packages, even though it was heavily modified for easy-rsa. The root
cause of the issue seems to be that OpenSSL 1.0.0 does not like
undefined variables in openssl.cnf.  I fixed the Windows side today, and
a preliminary patch is available here:



This patch applies on top of "Fix a build-ca issue on Windows" in
"master" and fixes Trac ticket #125. A few other things still need fixing :

- Lack of file called "easy-rsa/2.0/openssl.cnf"  will probably break
"domake-win" builds - or at least easy-rsa on installers generated with it.
- openssl-1.0.0.cnf has not yet been tested on *NIX
- changes to "easy-rsa/2.0/vars" script have not been tested

The added environment variables should not have negative side-effects.
I'll test Windows installer generation tomorrow to make sure easy-rsa
works out of the box on Windows. Help with *NIX+OpenSSL 1.0.0 and
"domake-win" would be appreciated.

Samuli
> On 20/06/11 12:30, Jan Just Keijser wrote:
> [...snip...]
> >> Samuli, can you please look closer into this?  I did a more careful
> diff
> >> from 2.0/openssl.cnf and Windows/openssl.cnf ... and it seems quite
> >> different.  Can we please unite them?
> >>
> >> JJK: Do you know which differences are needed between Windows and
> >> non-Windows?
> >>
> >>   
> > I just checked that the openssl.cnf file shipped with the windows
> version
> > of  openvpn 2.1.4 is identical to the easy-rsa/2.0 version - is
> there any
> > reason not to do the same for openvpn 2.2?
>
>
> Good question!
>
> Samuli, what do you think?  Could we actually just move the
> 2.0/openssl.cnf
> to a common directory where the installers will pick this config file?  To
> have the same file in more places in the source tree sounds chaotic
> for me,
> especially when 2.1.4 uses the same file everywhere.
>
> I'd suggest ./easy-rsa as a good common base.
>
> I'm also wondering if we need to still carry easy-rsa/1.0 in the source
> tree.  It looks rather dead ...
>
> $ git log --follow --oneline ./easy-rsa/1.0/
> 3c7f2f5 version 2.1_beta1
>
> Compared to this:
>
> $ git log --follow --oneline ./easy-rsa/2.0/
> 6dc6019 pkitool lacks expected option "--help"
> 2d4e768 bash->bourne script cleanup
> 564a210 Updated copyright date to 2010.
> 9f4725e pkitool lacks expected option "--help"
> d7fa38f Update copyright to 2009.
> 2534aa4 Fixed revoke-full to deal with issue arising from addition ...
> dbec0a2 Modified pkitool to allow flexibility in separating the Com...
> d56dec6 Change to pkitool/openssl.cnf so that calling scripts can s...
> 367ed08 Copyright notice changed to reflect change in name of Telet...
> 1c0cc4a Copyright change OpenVPN Solutions LLC -> Telethra, Inc.
> eca8691 Updated copyright notice to 2008.
> 4d90d73 Updated version & changelog.
> d4fb6d4 Set tool defaults in pkitool.
> eba4632 Added note about alternative version of easy-rsa that suppo...
> 8d54351 Clean up configure on FreeBSD for recent autotool versions ...
> acb567c A few more updates: -r 1015:1025 https://svn.openvpn.net/pr...
> a8105c6 Merged PKCS#11 extensions to easy-rsa/2.0  (Alon Bar-Lev). ...
> 513baee Small fixes: * Fixed variable declaration in crypto.c that ...
> 411e89a Merged --remote-cert-ku, --remote-cert-eku, and --remote-ce...
> 8810c26 Moved easy-rsa 2.0 scripts to easy-rsa/2.0 to be compatible...
>
> $ git log --follow --oneline ./easy-rsa/Windows/
> 54c739e Revert "Add new openssl.cnf to easy-rsa/Windows"
> 663860a Add new openssl.cnf to easy-rsa/Windows
> 3810843 Fix a build-ca issue on Windows
> 6b2883a Change all CRLF linefeeds to LF linefeeds
> d0b4271 In Windows build, package a statically linked openssl.exe t...
> 4030142 The easy-rsa directory installed by the windows installer c...
> 6fbf66f This is the start of the BETA21 branch. It includes the --t...
>
>
> kind regards,
>
> David Sommerseth

Re: [Openvpn-devel] [PATCH] Add new openssl.cnf to easy-rsa/Windows

2011-06-20 Thread David Sommerseth

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 20/06/11 12:30, Jan Just Keijser wrote:
[...snip...]
>> Samuli, can you please look closer into this?  I did a more careful diff
>> from 2.0/openssl.cnf and Windows/openssl.cnf ... and it seems quite
>> different.  Can we please unite them?
>>
>> JJK: Do you know which differences are needed between Windows and
>> non-Windows?
>>
>>   
> I just checked that the openssl.cnf file shipped with the windows version
> of  openvpn 2.1.4 is identical to the easy-rsa/2.0 version - is there any
> reason not to do the same for openvpn 2.2?
> 

Good question!

Samuli, what do you think?  Could we actually just move the 2.0/openssl.cnf
to a common directory where the installers will pick this config file?  To
have the same file in more places in the source tree sounds chaotic for me,
especially when 2.1.4 uses the same file everywhere.

I'd suggest ./easy-rsa as a good common base.

I'm also wondering if we need to still carry easy-rsa/1.0 in the source
tree.  It looks rather dead ...

$ git log --follow --oneline ./easy-rsa/1.0/
3c7f2f5 version 2.1_beta1

Compared to this:

$ git log --follow --oneline ./easy-rsa/2.0/
6dc6019 pkitool lacks expected option "--help"
2d4e768 bash->bourne script cleanup
564a210 Updated copyright date to 2010.
9f4725e pkitool lacks expected option "--help"
d7fa38f Update copyright to 2009.
2534aa4 Fixed revoke-full to deal with issue arising from addition ...
dbec0a2 Modified pkitool to allow flexibility in separating the Com...
d56dec6 Change to pkitool/openssl.cnf so that calling scripts can s...
367ed08 Copyright notice changed to reflect change in name of Telet...
1c0cc4a Copyright change OpenVPN Solutions LLC -> Telethra, Inc.
eca8691 Updated copyright notice to 2008.
4d90d73 Updated version & changelog.
d4fb6d4 Set tool defaults in pkitool.
eba4632 Added note about alternative version of easy-rsa that suppo...
8d54351 Clean up configure on FreeBSD for recent autotool versions ...
acb567c A few more updates: -r 1015:1025 https://svn.openvpn.net/pr...
a8105c6 Merged PKCS#11 extensions to easy-rsa/2.0  (Alon Bar-Lev). ...
513baee Small fixes: * Fixed variable declaration in crypto.c that ...
411e89a Merged --remote-cert-ku, --remote-cert-eku, and --remote-ce...
8810c26 Moved easy-rsa 2.0 scripts to easy-rsa/2.0 to be compatible...

$ git log --follow --oneline ./easy-rsa/Windows/
54c739e Revert "Add new openssl.cnf to easy-rsa/Windows"
663860a Add new openssl.cnf to easy-rsa/Windows
3810843 Fix a build-ca issue on Windows
6b2883a Change all CRLF linefeeds to LF linefeeds
d0b4271 In Windows build, package a statically linked openssl.exe t...
4030142 The easy-rsa directory installed by the windows installer c...
6fbf66f This is the start of the BETA21 branch. It includes the --t...

kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3/N1YACgkQDC186MBRfrqnhACfRIzVbmXxPr07nnD71SQWkf1H
AxAAn3JCMtBqWh4X7loLPntg6vkAKeRt
=wEAg
-END PGP SIGNATURE-

Re: [Openvpn-devel] [PATCH] Add new openssl.cnf to easy-rsa/Windows

2011-06-20 Thread Jan Just Keijser


Hi David,

David Sommerseth wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 20/06/11 11:36, Jan Just Keijser wrote:
  

NACK on this patch - the openssl.cnf file should be (almost) the same as
the one used in easy-rsa/2.0
that way the certificates are generated in the same manner (*with*
EKU=ServerAuth)




Okay, I'll revert commit 663860ad04dd4190fddbee63e724d3fdceafd937 (master)
and 6989cbde616a00380acf3a390959987765a5325b (release/2.2) immediately.

Samuli, can you please look closer into this?  I did a more careful diff
from 2.0/openssl.cnf and Windows/openssl.cnf ... and it seems quite
different.  Can we please unite them?

JJK: Do you know which differences are needed between Windows and non-Windows?

  
I just checked that the openssl.cnf file shipped with the windows 
version of  openvpn 2.1.4 is identical to the easy-rsa/2.0 version - is 
there any reason not to do the same for openvpn 2.2?


cheers,

JJK

Re: [Openvpn-devel] [PATCH] Add new openssl.cnf to easy-rsa/Windows

2011-06-20 Thread David Sommerseth

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 20/06/11 11:36, Jan Just Keijser wrote:
> NACK on this patch - the openssl.cnf file should be (almost) the same as
> the one used in easy-rsa/2.0
> that way the certificates are generated in the same manner (*with*
> EKU=ServerAuth)
> 

Okay, I'll revert commit 663860ad04dd4190fddbee63e724d3fdceafd937 (master)
and 6989cbde616a00380acf3a390959987765a5325b (release/2.2) immediately.

Samuli, can you please look closer into this?  I did a more careful diff
from 2.0/openssl.cnf and Windows/openssl.cnf ... and it seems quite
different.  Can we please unite them?

JJK: Do you know which differences are needed between Windows and non-Windows?

kind regards,

David Sommerseth
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3/Fl0ACgkQDC186MBRfrpmVwCeMIIaJNAzihq7SSHJ3BQdxMoW
/ioAoKbAENB4uekWYa0LCWmj1/ZM3TNm
=LrKg
-END PGP SIGNATURE-

Re: [Openvpn-devel] [PATCH] Add new openssl.cnf to easy-rsa/Windows

2011-06-20 Thread Jan Just Keijser

NACK on this patch - the openssl.cnf file should be (almost) the same as 
the one used in easy-rsa/2.0
that way the certificates are generated in the same manner (*with* 
EKU=ServerAuth)


JJK

David Sommerseth wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 20/06/11 09:49, sam...@openvpn.net wrote:
  

From: Samuli Seppänen 

This is required for patch "Fix a build-ca issue on Windows" to work
---
 easy-rsa/Windows/openssl.cnf |  350 ++
 1 files changed, 350 insertions(+), 0 deletions(-)
 create mode 100644 easy-rsa/Windows/openssl.cnf



ACK.  Applied to master and release/2.2

I see that 'extendedKeyUsage=serverAuth' is not set. I am not 100% sure if
that is needed or not, or just "nice to have".  This was mentioned in Trac
ticket #125 [1]. So I'm accepting the openssl.cnf patch as it is now, and
we can rather fix this attribute later on if it is not enough.

commit 663860ad04dd4190fddbee63e724d3fdceafd937 (master)
commit 6989cbde616a00380acf3a390959987765a5325b (release/2.2)
Author: Samuli Seppänen 
Date:   Mon Jun 20 10:49:41 2011 +0300

Add new openssl.cnf to easy-rsa/Windows

This is required for patch "Fix a build-ca issue on Windows" to work

Signed-off-by: Samuli Seppänen 
Acked-by: David Sommerseth 


Kind regards,

David Sommerseth


[1] 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3/EnsACgkQDC186MBRfroPsQCfT6am6MJsmzhaNtWEOWfs0PFp
KyMAn1M3ljU1cf6BWgL/8rraB0IBrh4O
=VmQ8
-END PGP SIGNATURE-

--
EditLive Enterprise is the world's most technically advanced content
authoring tool. Experience the power of Track Changes, Inline Image
Editing and ensure content is compliant with Accessibility Checking.
http://p.sf.net/sfu/ephox-dev2dev
___
Openvpn-devel mailing list
Openvpn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-devel

Re: [Openvpn-devel] [PATCH] Add new openssl.cnf to easy-rsa/Windows

2011-06-20 Thread David Sommerseth

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 20/06/11 09:49, sam...@openvpn.net wrote:
> From: Samuli Seppänen 
> 
> This is required for patch "Fix a build-ca issue on Windows" to work
> ---
>  easy-rsa/Windows/openssl.cnf |  350 
> ++
>  1 files changed, 350 insertions(+), 0 deletions(-)
>  create mode 100644 easy-rsa/Windows/openssl.cnf

ACK.  Applied to master and release/2.2

I see that 'extendedKeyUsage=serverAuth' is not set. I am not 100% sure if
that is needed or not, or just "nice to have".  This was mentioned in Trac
ticket #125 [1]. So I'm accepting the openssl.cnf patch as it is now, and
we can rather fix this attribute later on if it is not enough.

commit 663860ad04dd4190fddbee63e724d3fdceafd937 (master)
commit 6989cbde616a00380acf3a390959987765a5325b (release/2.2)
Author: Samuli Seppänen 
List-Post: openvpn-devel@lists.sourceforge.net
Date:   Mon Jun 20 10:49:41 2011 +0300

Add new openssl.cnf to easy-rsa/Windows

This is required for patch "Fix a build-ca issue on Windows" to work

Signed-off-by: Samuli Seppänen 
Acked-by: David Sommerseth 


Kind regards,

David Sommerseth


[1] 
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk3/EnsACgkQDC186MBRfroPsQCfT6am6MJsmzhaNtWEOWfs0PFp
KyMAn1M3ljU1cf6BWgL/8rraB0IBrh4O
=VmQ8
-END PGP SIGNATURE-

Re: [Openvpn-devel] [PATCH] Add new openssl.cnf to easy-rsa/Windows

Re: [Openvpn-devel] [PATCH] Add new openssl.cnf to easy-rsa/Windows

Re: [Openvpn-devel] [PATCH] Add new openssl.cnf to easy-rsa/Windows

Re: [Openvpn-devel] [PATCH] Add new openssl.cnf to easy-rsa/Windows

Re: [Openvpn-devel] [PATCH] Add new openssl.cnf to easy-rsa/Windows

Re: [Openvpn-devel] [PATCH] Add new openssl.cnf to easy-rsa/Windows

Re: [Openvpn-devel] [PATCH] Add new openssl.cnf to easy-rsa/Windows

7 matches

Site Navigation

Mail list logo

Footer information