Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

easyrsa_openssl(): Create a safe SSL config once per instance ONLY #931

Merged
merged 4 commits into from Apr 10, 2023
Merged

easyrsa_openssl(): Create a safe SSL config once per instance ONLY #931

merged 4 commits into from Apr 10, 2023

Conversation

TinCanTech
Copy link
Collaborator

No description provided.

@TinCanTech TinCanTech self-assigned this Apr 8, 2023
@TinCanTech TinCanTech added this to the v3.1.3 - 13/10/2023 milestone Apr 8, 2023
@TinCanTech TinCanTech added initial-approval and removed Full-Approval Merge is imminent labels Apr 8, 2023
@TinCanTech
easyrsa_openssl(): Create a safe SSL config once per instance ONLY
867333d 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech
Copy link
Collaborator Author

Failure is because cert_date_to_timestamp_s() expects a cert-date but is being given an ISO-8601 date.

Linux and Windows date accepts the ISO-8601 input format.

MacOS does not. busybox would probably fail too.

Only effects status reports.

@TinCanTech
status report: Only provide comparison date when certificate exists
a9b7c6a 
If the certificate does not exist then the database date is used.
The database date is a shortened ISO-8601 date, the certifcate date
is presented in a completely different format.

Omit the calculated "seconds since epoch" double check via 'date',
when the certificate does not exist.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech
easyrsa_openssl(): Add verbose output when functions are skipped
9b95eaa 
Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech
Copy link
Collaborator Author

As a test, if the first safe-SSL config file is deleted after setting working_safe_ssl_conf then SSL fails:

Using configuration from ffs/73cf2d93/temp.3.1
Can't open ffs/73cf2d93/temp.3.1 for reading, No such file or directory

@TinCanTech
remove_secure_session(): New function to remove secure session
d1c34d4 
Status reports function read_db() MUST recreate the secure session
for each record of the database being read.

Introduce remove_secure_session(), to remove the session and reset
related flags:
- secure_session: The directory name of the session. Deleted.
- working_safe_ssl_conf - Safe SSL config file.  Deleted.
- mktemp_counter - Count of temp files. Deleted.

Also use remove_secure_session() in cleanup().

Improve some verbose output.
Wrap some long lines.

Signed-off-by: Richard T Bonhomme <tincantech@protonmail.com>
@TinCanTech TinCanTech merged commit 0538f15 into OpenVPN:master Apr 10, 2023
3 checks passed
@TinCanTech TinCanTech mentioned this pull request Apr 12, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@TinCanTech TinCanTech

Labels
development Possible changes EasyRSA-OpenSSL-Config improvement initial-approval Version 3.1.x version 3.1.3
Projects
None yet
Milestone
v3.1.3
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@TinCanTech