From a2eb705bd9a144f2106c6d090efea48dc09a7508 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 21 Sep 2025 18:07:50 +0100 Subject: [PATCH 1/2] Remove: write_global_safe_ssl_cnf_tmp() write_global_safe_ssl_cnf_tmp() conditionally expanded the existing SSL config file, without updating $EASYRSA_SSL_CONF. The 'global' file is no nonger required. Replace superfluous function 'write_global_safe_ssl_cnf_tmp()'; With the intended function 'write_easyrsa_ssl_cnf_tmp()' This conditonally 'expands' any SSL config file, currently in use, OR creates a correctly formatted SSL config file. Required 'expansion' is conditionally set by use of LibreSSL. Option --force-safe-ssl will expand an existing SSL config file OR force an expanded-default SSL config file. UT Passed on OpenBSD. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 21 ++++----------------- 1 file changed, 4 insertions(+), 17 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 3968897bf..8928ef3ee 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2813,7 +2813,7 @@ Conflicting file found at: remove_secure_session secure_session locate_support_files - write_global_safe_ssl_cnf_tmp + write_easyrsa_ssl_cnf_tmp # Require --copy-ext export EASYRSA_CP_EXT=1 @@ -4237,7 +4237,7 @@ read_db() { remove_secure_session secure_session locate_support_files - write_global_safe_ssl_cnf_tmp + write_easyrsa_ssl_cnf_tmp # Interpret the db/certificate record unset -v db_serial db_cn db_revoke_date db_reason @@ -5787,7 +5787,7 @@ Using Easy-RSA 'vars' configuration: easyrsa_mktemp test_temp_file # global safe ssl cnf temp - write_global_safe_ssl_cnf_tmp + write_easyrsa_ssl_cnf_tmp # Verify selected algorithm and parameters verify_algo_params @@ -5807,7 +5807,7 @@ Using Easy-RSA 'vars' configuration: easyrsa_mktemp test_temp_file # global safe ssl cnf temp - write_global_safe_ssl_cnf_tmp + write_easyrsa_ssl_cnf_tmp fi fi @@ -5855,19 +5855,6 @@ force_set_var() { die "force_set_var - set_var '$*'" } # => force_set_var() -# global Safe SSL conf file, for use by any SSL lib -write_global_safe_ssl_cnf_tmp() { - global_safe_ssl_cnf_tmp= - easyrsa_mktemp global_safe_ssl_cnf_tmp - - write_legacy_file_v2 safe-cnf "$global_safe_ssl_cnf_tmp" \ - overwrite || die "verify_working_env - write safe-cnf" - - export OPENSSL_CONF="$global_safe_ssl_cnf_tmp" - verbose "\ -write_global_safe_ssl_cnf_tmp; GLOBAL OPENSSL_CONF = $OPENSSL_CONF" -} # => write_global_safe_ssl_cnf_tmp() - # Create as needed: $EASYRSA_SSL_CONF pki/openssl-easyrsa.cnf # If the existing file has a known hash then use temp-file. # Otherwise, use the file in place. From 110e31f7d5b83ceb98bb7da0089b44c3930fbcf3 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Sun, 21 Sep 2025 20:44:24 +0100 Subject: [PATCH 2/2] write_legacy_file_v2(): Enforce $EASYRSA_FORCE_SAFE_SSL Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 8928ef3ee..05f03c416 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -6069,11 +6069,17 @@ write_legacy_file_v2() { # Select by type case "$write_type" in - ssl-cnf) - set_openssl_easyrsa_cnf_vars unexpanded - ;; - safe-cnf) - set_openssl_easyrsa_cnf_vars expanded + ssl-cnf|safe-cnf) + # Select or enforce expansion + if [ "$write_type" = safe-cnf ] || [ "$EASYRSA_FORCE_SAFE_SSL" ] + then + expansion=expanded + else + expansion=unexpanded + fi + + # Set SSL config vars as per required expansion + set_openssl_easyrsa_cnf_vars "$expansion" ;; vars) ;;