easyrsa_openssl(): Always set OPENSSL_CONF to EasyRSA safe SSL config #794
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
TinCanTech
added
EasyRSA-OpenSSL-Config
improvement
Applicable to v3.0.x
|
This patch also simplifies |
LibreSSL Always probes the file assigned by environment variable OPENSSL_CONF. Default can be found via command 'openssl version -d' EasyRSA MUST provide a suitable "safe" SSL config file to LibreSSL. Therefore, all SSL calls made by EasyRSA SHOULD go via easyrsa_openssl(), which can be forced to ALWAYS build a "safe" SSL config file. By always building a "safe" SSL config file, EasyRSA can always configure the default value for OPENSSL_CONF. This patch changes easyrsa_openssl(), to force generation of a safe SSL config on EVERY use and set OPENSSL_CONF to the same. Calls to easyrsa_openssl() ALWAYS generate a safe SSL config file, however, that config file is only called via SSL option '-config' when the command requires an SSL config file. (As by original design) The environment variable OPENSSL_CONF always points to the EasyRSA "safe" SSL config file, although the SSL command may not support the '-config' option. The fundemental changes made here are, easyrsa_openssl(): - ALWAYS creates a "safe" SSL config file, although it may not be required. - ALWAYS assigns SSL env-var OPENSSL_CONF to the above "safe" SSL config file. Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
TinCanTech
force-pushed
the
set-OPENSSL_CONF
branch
from
e94e91d
to
80b2453
Compare
|
Force push to update commit message. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
LibreSSL Always probes the file assigned by environment variable OPENSSL_CONF. Default can be found via command 'openssl version -d'
EasyRSA MUST provide a suitable "safe" SSL config file to LibreSSL.
Therefore, all SSL calls made by EasyRSA SHOULD go via easyrsa_openssl(), which can be forced to ALWAYS build a "safe" SSL config file.
By always building a "safe" SSL config file, EasyRSA can always configure the default value for OPENSSL_CONF.
This patch changes easyrsa_openssl(), to force generation of a safe SSL config on EVERY use and set OPENSSL_CONF to the same.
Calls to easyrsa_openssl() ALWAYS generate a safe SSL config file but that config file is only called via SSL option '-config' when the command requires an SSL config file. (As by original design)
The environment variable OPENSSL_CONF always points to the EasyRSA "safe" SSL config file, although the SSL command may not support the '-config' option.
The fundemental changes made here are, easyrsa_openssl():
Signed-off-by: Richard T Bonhomme tincantech@protonmail.com