Build Safe SSL config at correct stage #954
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This patch set fixes three inter-linked problems.
Problem-1:
When using EC algorithms, it was found that
EASYRSA_REQ_CN
was ignored byeasyrsa
because the value in the config took priority.The config built was built too soon, before
EASYRSA_REQ_CN
had been assigned, which meant that building a CA would result in a CA CommonName ofChangeMe
, instead ofEasy-RSA CA
.This is partially resolved by not using
easyrsa_openssl()
meta-wrapper when callingverify_algo_params()
but callingEASYRSA_OPENSSL
directly.This also, resolves an issue that if incorrect algorithm settings were chosen then
easyrsa_openssl()
would die with a misleading error, instead ofverify_algo_params()
exiting with the correct error message.Problem-2:
Diagnosing Problem-1 exposed an issue with the SSL config file. When
EASYRSA_ALGO
was not set torsa
thenEASYRSA_KEY_SIZE
was also not set. This resulted in an error in the config file for empty vaue fordefault_bits
.This is resolved by ALWAYS assigning a value to
EASYRSA_KEY_SIZE
, regardless of algorithm.Problem-3:
The first time the Safe SSL config is created then
working_safe_ssl_conf
is set and further invocations ofeasyrsa_openssl()
will use the same SSL config file. A new Safe SSL config file is not required once it has been built.The assignment of
working_safe_ssl_conf
was set too late and resulted in it being set even if the Safe SSL config file had not been built.This is resolved by moving the assignment to the correct place.
A secondary check is also now in place, at the end of
verify_working_env()
, to ensure thatworking_safe_ssl_conf
remains unset until the issued command is executed. eg. build_ca()`.Additional:
Move the use of
escape_hazard()
, use the same controlling code aseasyrsa_rewrite_ssl_config()
.