Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build_ca fails to remove temp files when passwords do not match #234

Closed
TinCanTech opened this issue Sep 23, 2018 · 8 comments
Closed

build_ca fails to remove temp files when passwords do not match #234

TinCanTech opened this issue Sep 23, 2018 · 8 comments

Comments

@TinCanTech
Copy link
Collaborator

TinCanTech commented Sep 23, 2018
edited
Loading

Line 502 ~

# build-ca backend:

<snip>

	out_file_tmp="$(mktemp "$out_file.XXXXXXXXXX")"; EASYRSA_TEMP_FILE_3="$out_file_tmp"
	# Get password from user if necessary
	if [ ! $nopass ]; then
		out_key_pass_tmp="$(mktemp)"; EASYRSA_TEMP_FILE_3="$out_key_pass_tmp"

EASYRSA_TEMP_FILE_3 is re-assigned.

$ ls -l pki
total 36
-rw------- 1 tct tct    0 Sep 23 16:14 ca.crt.QL7KGY55V2
-rw------- 1 tct tct    0 Sep 23 16:06 ca.crt.sEyI8nB24Y
@TinCanTech
Copy link
Collaborator Author

If using the SSL lib to get the password from stdin

@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Sep 23, 2018
edited
Loading

It is simple to fall back to the SSL lib but I don't understand
why is this not the case now ?

@luizluca
Copy link
Contributor

If using the SSL lib to get the password from stdin

The problem is that it needs the password twice. I'll take a look a little bit more if openssl could do it in one step.

@luizluca
Copy link
Contributor

It can be done in one-step openssl call (tested with openssl 1.1.x) . However, there is no way to specify a different cipher for privkey but 3des or none. The only place I can specify cipher while generating a privkey is genrsa/genpkey

I've just opened an issue openssl/openssl#7313 about it.

Now, is using aes256 that much important? #17 #58 are related.
OpenSSL still uses it as default cipher.

I did a POC to show how it would look like:
https://github.com/luizluca/easy-rsa/pull/new/build_ca_onestep

@TinCanTech
Copy link
Collaborator Author

TinCanTech commented Sep 24, 2018
edited
Loading

@luizluca the issue here is that EASYRSA_TEMP_FILE_3 is re-assigned.

The other points i noted were to get a more clear answer as to why easyrsa chooses not to rely on the SSL lib for this password. It is still as clear as mud to me but I have found a solution for #230 .. not #232 though. ;-)

@luizluca
Copy link
Contributor

Yes, I know that. That's why I proposed to keep it as a list of files instead of isolated variables.
luizluca@f8f100e

I'll post new PR as soon as the existing one are merged in order to avoid conflicts.

@ecrist
Copy link
Member

ecrist commented Jan 29, 2019

This should be fixed now in commit e6d858f.

@TinCanTech
Copy link
Collaborator Author

This is the correct commit: 2c29026

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@luizluca @ecrist @TinCanTech