Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LibreSSL: build-*-full uses an incorrect SSL config file #1149

Closed
TinCanTech opened this issue May 28, 2024 · 1 comment · Fixed by #1150
Closed

LibreSSL: build-*-full uses an incorrect SSL config file #1149

TinCanTech opened this issue May 28, 2024 · 1 comment · Fixed by #1150
Assignees
@TinCanTech
Labels
BUG LibreSSL Version 3.2.0-Release
Milestone
v3.2.1

Comments

@TinCanTech
Copy link
Collaborator

TinCanTech commented May 28, 2024
edited
Loading

When using LibreSSL the SSL config is expanded to safessl-easyrsa.cnf. However, the code reverts back to the last expanded openssl-easyrsa.cnf file, during the signing phase sign-req.

The simplest solution is to ALWAYS use openssl-easyrsa.cnf and ONLY expand it for use by LibreSSL when easyrsa_openssl function is called. Effectively removing ALL use of safessl-easyrsa.cnf.

Example 1.0:

tct@home:/dev/shm/easyrsa$ EASYRSA_TOOLS_LIB=/home/tct/git/easy-rsa/tct-fork/master/dev/easyrsa-tools.lib EASYRSA_OPENSSL=/home/tct/libressl/libressl-3.8.2/apps/openssl/openssl easyrsa --verbose --nopass --san=DNS:www.example.org --san=IP:10.0.0.1 --keep-tmp=lssl build-client-full c6
  # select_vars: PWD/vars
Using Easy-RSA 'vars' configuration:
* /dev/shm/easyrsa/vars
  # source_vars: CLEAN '/dev/shm/easyrsa/vars'
  # source_vars: sourced OK '/dev/shm/easyrsa/vars'
  # mutual_exclusions: COMPLETED
  # : EASYRSA_EXT_DIR: built-in
  # : EASYRSA_SSL_CONF: /dev/shm/easyrsa/pki/openssl-easyrsa.cnf
  # : EASYRSA_TOOLS_LIB: /home/tct/git/easy-rsa/tct-fork/master/dev/easyrsa-tools.lib
  # locate_support_files: COMPLETED
  # verify_ssl_lib():
Using SSL:
* /home/tct/libressl/libressl-3.8.2/apps/openssl/openssl LibreSSL 3.8.2
  # verify_working_env: BEGIN
  # secure_session: CREATED: /dev/shm/easyrsa/pki/81c66eaf
  # write_easyrsa_ssl_cnf_tmp: SSL config EXISTS
  # write_easyrsa_ssl_cnf_tmp: SSL config KNOWN
  # easyrsa_mktemp: ssl_cnf_tmp OK: /dev/shm/easyrsa/pki/81c66eaf/temp.0.1
  # write_easyrsa_ssl_cnf_tmp: SSL config /dev/shm/easyrsa/pki/81c66eaf/temp.0.1
  # verify_algo_params: Params verified for algo 'rsa'
  # verify_working_env: COMPLETED
  # : Handover-to: build-client-full
  # easyrsa_mktemp: adjusted_ssl_cnf_tmp OK: /dev/shm/easyrsa/pki/81c66eaf/temp.1.1
  # easyrsa_mktemp: key_out_tmp OK: /dev/shm/easyrsa/pki/81c66eaf/temp.2.1
  # easyrsa_mktemp: req_out_tmp OK: /dev/shm/easyrsa/pki/81c66eaf/temp.3.1
  # : easyrsa_openssl - BEGIN req
  # :: escape_hazard: RUN-ONCE
  # :: escape_hazard: REPLACED by heredoc expansion
  # :: escape_hazard: ABANDONED
  # :: expand_ssl_config: REQUIRED
  # :: expand_ssl_config: RUN-ONCE
  # easyrsa_mktemp: safe_ssl_cnf_tmp OK: /dev/shm/easyrsa/pki/81c66eaf/temp.4.1
  # :: expand_ssl_config: via 'write' COMPLETED
  # : manage_ssl_config: Safe SSL conf OK: /dev/shm/easyrsa/pki/81c66eaf/temp.4.1

The gen-req phase correctly uses Safe SSL conf above. temp.4.1

Example 1.1:

Generating a 2048 bit RSA private key
..............
.
writing new private key to '/dev/shm/easyrsa/pki/81c66eaf/temp.2.1'
-----

Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /dev/shm/easyrsa/pki/reqs/c6.req
* key: /dev/shm/easyrsa/pki/private/c6.key 


  # : easyrsa_openssl - BEGIN req
  # :: escape_hazard: RUN-ONCE
  # :: escape_hazard: REPLACED by heredoc expansion
  # :: escape_hazard: ABANDONED
  # :: expand_ssl_config: RUN-ONCE BYPASS
  # : manage_ssl_config: Safe SSL conf OK: /dev/shm/easyrsa/pki/81c66eaf/temp.4.1
  # check_serial_unique: unique_serial=true
  # easyrsa_mktemp: adjusted_ssl_cnf_tmp OK: /dev/shm/easyrsa/pki/81c66eaf/temp.5.1
  # sign_req: Using 'copy_extensions = copy'
  # Final EASYRSA_SSL_CONF = /dev/shm/easyrsa/pki/81c66eaf/temp.5.1

The Final SSL conf is set to temp.5.1

Example 1.2:

  # easyrsa_mktemp: write_x509_file_tmp OK: /dev/shm/easyrsa/pki/81c66eaf/temp.6.1
  # write_x509_type_tmp: client COMPLETE
  # easyrsa_mktemp: write_x509_file_tmp OK: /dev/shm/easyrsa/pki/81c66eaf/temp.7.1
  # write_x509_type_tmp: COMMON COMPLETE
  # easyrsa_mktemp: ext_tmp OK: /dev/shm/easyrsa/pki/81c66eaf/temp.8.1
  # sign_req: Generated extensions file OK
You are about to sign the following certificate:

  Requested CN:   'c6'
  Requested type: 'client'
  Valid for:      '825' days

subject=
    commonName                = c6

            X509v3 Subject Alternative Name:
                DNS:www.example.org, IP:10.0.0.1

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes

  # easyrsa_mktemp: crt_out_tmp OK: /dev/shm/easyrsa/pki/81c66eaf/temp.9.1
  # : easyrsa_openssl - BEGIN ca
  # :: escape_hazard: RUN-ONCE
  # :: escape_hazard: REPLACED by heredoc expansion
  # :: escape_hazard: ABANDONED
  # :: expand_ssl_config: RUN-ONCE BYPASS
  # : manage_ssl_config: Safe SSL conf OK: /dev/shm/easyrsa/pki/81c66eaf/temp.4.1
Using configuration from /dev/shm/easyrsa/pki/81c66eaf/temp.4.1

The SSL conf file used by LibreSSL here is temp.4.1 not temp.5.1, this drops the newly inserted copy_extensions = copy.

Also, temp-file temp.5.1 is not expanded to a Safe SSL config file.

Example 1.3:

Enter pass phrase for /dev/shm/easyrsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'c6'
Certificate is to be certified until Aug 31 15:39:21 2026 GMT (825 days)

Write out database with 1 new entries
Data Base Updated
  # sign_req: signed cert 'c6' OK

Notice
------
Certificate created at:
* /dev/shm/easyrsa/pki/issued/c6.crt


Notice
------
Inline file created:
* /dev/shm/easyrsa/pki/inline/c6.inline

Temp session preserved: /dev/shm/easyrsa/pki/tmp/lssl
  # Exit: Final Success = true

Completed.

So, easyrsa updates the wrong file when adding --copy-exts data.
For LibreSSL, the safessl-easyrsa.cnf file must be in use, not openssl-easyrsa.cnf.

Using OpenSSL, the correct files are selected because there is no confusion about which SSL config file to use.
@TinCanTech TinCanTech self-assigned this May 28, 2024
@TinCanTech TinCanTech added this to the v3.2.1 milestone May 28, 2024
@TinCanTech
Copy link
Collaborator Author

TinCanTech commented May 28, 2024
edited
Loading

From PR: #1150

Fixed example 1.0:

tct@home:/dev/shm/easyrsa$ EASYRSA_TOOLS_LIB=/home/tct/git/easy-rsa/tct-fork/master/dev/easyrsa-tools.lib EASYRSA_OPENSSL=/home/tct/libressl/libressl-3.8.2/apps/openssl/openssl easyrsa --verbose --nopass --san=DNS:www.example.org --san=IP:10.0.0.1 --keep-tmp=lssl build-client-full c04
  # select_vars: PWD/vars
Using Easy-RSA 'vars' configuration:
* /dev/shm/easyrsa/vars
  # source_vars: CLEAN '/dev/shm/easyrsa/vars'
  # source_vars: sourced OK '/dev/shm/easyrsa/vars'
  # mutual_exclusions: COMPLETED
  # > EASYRSA_EXT_DIR: built-in
  # > EASYRSA_SSL_CONF: /dev/shm/easyrsa/pki/openssl-easyrsa.cnf
  # > EASYRSA_TOOLS_LIB: /home/tct/git/easy-rsa/tct-fork/master/dev/easyrsa-tools.lib
  # locate_support_files: COMPLETED
  # verify_ssl_lib():
Using SSL:
* /home/tct/libressl/libressl-3.8.2/apps/openssl/openssl LibreSSL 3.8.2
  # verify_working_env: BEGIN
  # secure_session: CREATED: /dev/shm/easyrsa/pki/956d84f3
  # write_easyrsa_ssl_cnf_tmp: SSL config EXISTS
  # write_easyrsa_ssl_cnf_tmp: SSL config IGNORED
  # easyrsa_mktemp: ssl_cnf_tmp OK: /dev/shm/easyrsa/pki/956d84f3/temp.0.1
  # write_easyrsa_ssl_cnf_tmp: SSL config using temp-file
  # verify_algo_params: Params verified for algo 'rsa'
  # verify_working_env: COMPLETED Handover-to: build-client-full
  # build_full: BEGIN gen_req
  # easyrsa_mktemp: adjusted_ssl_cnf_tmp OK: /dev/shm/easyrsa/pki/956d84f3/temp.1.1
  # easyrsa_mktemp: key_out_tmp OK: /dev/shm/easyrsa/pki/956d84f3/temp.2.1
  # easyrsa_mktemp: req_out_tmp OK: /dev/shm/easyrsa/pki/956d84f3/temp.3.1
  # > easyrsa_openssl - BEGIN req
  # escape_hazard: RUN-ONCE
  # escape_hazard: REPLACED by heredoc expansion
  # escape_hazard: ABANDONED
  # expand_ssl_config: REQUIRED
  # expand_ssl_config: RUN-ONCE
  # easyrsa_mktemp: safe_ssl_cnf_tmp OK: /dev/shm/easyrsa/pki/956d84f3/temp.4.1
  # expand_ssl_config: via 'write' COMPLETED
  # expand_ssl_config: EASYRSA_SSL_CONF = /dev/shm/easyrsa/pki/956d84f3/temp.4.1
  # easyrsa_openssl: OPENSSL_CONF = /dev/shm/easyrsa/pki/956d84f3/temp.4.1

Note: OPENSSL_CONF = /dev/shm/easyrsa/pki/956d84f3/temp.4.1

Fixed example 1.1:

Generating a 2048 bit RSA private key
..........................................
.....................................
writing new private key to '/dev/shm/easyrsa/pki/956d84f3/temp.2.1'
-----

Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /dev/shm/easyrsa/pki/reqs/c04.req
* key: /dev/shm/easyrsa/pki/private/c04.key 


  # build_full: END gen_req
  # build_full: BEGIN sign_req
  # > easyrsa_openssl - BEGIN req
  # escape_hazard: RUN-ONCE
  # escape_hazard: REPLACED by heredoc expansion
  # escape_hazard: ABANDONED
  # expand_ssl_config: BYPASSED
  # easyrsa_openssl: OPENSSL_CONF = /dev/shm/easyrsa/pki/956d84f3/temp.4.1
  # check_serial_unique: unique_serial=true
  # easyrsa_mktemp: adjusted_ssl_cnf_tmp OK: /dev/shm/easyrsa/pki/956d84f3/temp.5.1
  # sign_req: Using 'copy_extensions = copy'
  # sign_req: EASYRSA_SSL_CONF = /dev/shm/easyrsa/pki/956d84f3/temp.5.1
  # easyrsa_mktemp: write_x509_file_tmp OK: /dev/shm/easyrsa/pki/956d84f3/temp.6.1
  # write_x509_type_tmp: client COMPLETE
  # easyrsa_mktemp: write_x509_file_tmp OK: /dev/shm/easyrsa/pki/956d84f3/temp.7.1
  # write_x509_type_tmp: COMMON COMPLETE
  # easyrsa_mktemp: ext_tmp OK: /dev/shm/easyrsa/pki/956d84f3/temp.8.1
  # sign_req: Generated extensions file OK
You are about to sign the following certificate:

  Requested CN:   'c04'
  Requested type: 'client'
  Valid for:      '825' days

subject=
    commonName                = c04

            X509v3 Subject Alternative Name:
                DNS:www.example.org, IP:10.0.0.1

Type the word 'yes' to continue, or any other input to abort.
  Confirm request details: yes

  # easyrsa_mktemp: crt_out_tmp OK: /dev/shm/easyrsa/pki/956d84f3/temp.9.1
  # > easyrsa_openssl - BEGIN ca
  # escape_hazard: RUN-ONCE
  # escape_hazard: REPLACED by heredoc expansion
  # escape_hazard: ABANDONED
  # expand_ssl_config: BYPASSED
  # easyrsa_openssl: OPENSSL_CONF = /dev/shm/easyrsa/pki/956d84f3/temp.5.1
Using configuration from /dev/shm/easyrsa/pki/956d84f3/temp.5.1

Note: OPENSSL_CONF = /dev/shm/easyrsa/pki/956d84f3/temp.5.1

Fixed example 1.2:

Enter pass phrase for /dev/shm/easyrsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'c04'
Certificate is to be certified until Aug 31 18:50:51 2026 GMT (825 days)

Write out database with 1 new entries
Data Base Updated
  # sign_req: signed cert 'c04' OK

Notice
------
Certificate created at:
* /dev/shm/easyrsa/pki/issued/c04.crt

  # build_full: END sign_req

Notice
------
Inline file created:
* /dev/shm/easyrsa/pki/inline/c04.inline

Temp session preserved: /dev/shm/easyrsa/pki/tmp/lssl
  # Exit: Final Success = true

The correct OPENSSL_CONF file is used each time and verbose output confirms this.

@TinCanTech TinCanTech linked a pull request May 28, 2024 that will close this issue
easyrsa_openssl(): Always export $OPENSSL_CONF as $EASYRSA_SSL_CONF #1150
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@TinCanTech TinCanTech

Labels
BUG LibreSSL Version 3.2.0-Release
Projects
None yet
Milestone
v3.2.1
Development

Successfully merging a pull request may close this issue.

easyrsa_openssl(): Always export $OPENSSL_CONF as $EASYRSA_SSL_CONF TinCanTech/easy-rsa
1 participant
@TinCanTech