Closed TinCanTech closed 1 month ago
From PR: #1150
tct@home:/dev/shm/easyrsa$ EASYRSA_TOOLS_LIB=/home/tct/git/easy-rsa/tct-fork/master/dev/easyrsa-tools.lib EASYRSA_OPENSSL=/home/tct/libressl/libressl-3.8.2/apps/openssl/openssl easyrsa --verbose --nopass --san=DNS:www.example.org --san=IP:10.0.0.1 --keep-tmp=lssl build-client-full c04
# select_vars: PWD/vars
Using Easy-RSA 'vars' configuration:
* /dev/shm/easyrsa/vars
# source_vars: CLEAN '/dev/shm/easyrsa/vars'
# source_vars: sourced OK '/dev/shm/easyrsa/vars'
# mutual_exclusions: COMPLETED
# > EASYRSA_EXT_DIR: built-in
# > EASYRSA_SSL_CONF: /dev/shm/easyrsa/pki/openssl-easyrsa.cnf
# > EASYRSA_TOOLS_LIB: /home/tct/git/easy-rsa/tct-fork/master/dev/easyrsa-tools.lib
# locate_support_files: COMPLETED
# verify_ssl_lib():
Using SSL:
* /home/tct/libressl/libressl-3.8.2/apps/openssl/openssl LibreSSL 3.8.2
# verify_working_env: BEGIN
# secure_session: CREATED: /dev/shm/easyrsa/pki/956d84f3
# write_easyrsa_ssl_cnf_tmp: SSL config EXISTS
# write_easyrsa_ssl_cnf_tmp: SSL config IGNORED
# easyrsa_mktemp: ssl_cnf_tmp OK: /dev/shm/easyrsa/pki/956d84f3/temp.0.1
# write_easyrsa_ssl_cnf_tmp: SSL config using temp-file
# verify_algo_params: Params verified for algo 'rsa'
# verify_working_env: COMPLETED Handover-to: build-client-full
# build_full: BEGIN gen_req
# easyrsa_mktemp: adjusted_ssl_cnf_tmp OK: /dev/shm/easyrsa/pki/956d84f3/temp.1.1
# easyrsa_mktemp: key_out_tmp OK: /dev/shm/easyrsa/pki/956d84f3/temp.2.1
# easyrsa_mktemp: req_out_tmp OK: /dev/shm/easyrsa/pki/956d84f3/temp.3.1
# > easyrsa_openssl - BEGIN req
# escape_hazard: RUN-ONCE
# escape_hazard: REPLACED by heredoc expansion
# escape_hazard: ABANDONED
# expand_ssl_config: REQUIRED
# expand_ssl_config: RUN-ONCE
# easyrsa_mktemp: safe_ssl_cnf_tmp OK: /dev/shm/easyrsa/pki/956d84f3/temp.4.1
# expand_ssl_config: via 'write' COMPLETED
# expand_ssl_config: EASYRSA_SSL_CONF = /dev/shm/easyrsa/pki/956d84f3/temp.4.1
# easyrsa_openssl: OPENSSL_CONF = /dev/shm/easyrsa/pki/956d84f3/temp.4.1
Note: OPENSSL_CONF = /dev/shm/easyrsa/pki/956d84f3/temp.4.1
Generating a 2048 bit RSA private key
..........................................
.....................................
writing new private key to '/dev/shm/easyrsa/pki/956d84f3/temp.2.1'
-----
Notice
------
Private-Key and Public-Certificate-Request files created.
Your files are:
* req: /dev/shm/easyrsa/pki/reqs/c04.req
* key: /dev/shm/easyrsa/pki/private/c04.key
# build_full: END gen_req
# build_full: BEGIN sign_req
# > easyrsa_openssl - BEGIN req
# escape_hazard: RUN-ONCE
# escape_hazard: REPLACED by heredoc expansion
# escape_hazard: ABANDONED
# expand_ssl_config: BYPASSED
# easyrsa_openssl: OPENSSL_CONF = /dev/shm/easyrsa/pki/956d84f3/temp.4.1
# check_serial_unique: unique_serial=true
# easyrsa_mktemp: adjusted_ssl_cnf_tmp OK: /dev/shm/easyrsa/pki/956d84f3/temp.5.1
# sign_req: Using 'copy_extensions = copy'
# sign_req: EASYRSA_SSL_CONF = /dev/shm/easyrsa/pki/956d84f3/temp.5.1
# easyrsa_mktemp: write_x509_file_tmp OK: /dev/shm/easyrsa/pki/956d84f3/temp.6.1
# write_x509_type_tmp: client COMPLETE
# easyrsa_mktemp: write_x509_file_tmp OK: /dev/shm/easyrsa/pki/956d84f3/temp.7.1
# write_x509_type_tmp: COMMON COMPLETE
# easyrsa_mktemp: ext_tmp OK: /dev/shm/easyrsa/pki/956d84f3/temp.8.1
# sign_req: Generated extensions file OK
You are about to sign the following certificate:
Requested CN: 'c04'
Requested type: 'client'
Valid for: '825' days
subject=
commonName = c04
X509v3 Subject Alternative Name:
DNS:www.example.org, IP:10.0.0.1
Type the word 'yes' to continue, or any other input to abort.
Confirm request details: yes
# easyrsa_mktemp: crt_out_tmp OK: /dev/shm/easyrsa/pki/956d84f3/temp.9.1
# > easyrsa_openssl - BEGIN ca
# escape_hazard: RUN-ONCE
# escape_hazard: REPLACED by heredoc expansion
# escape_hazard: ABANDONED
# expand_ssl_config: BYPASSED
# easyrsa_openssl: OPENSSL_CONF = /dev/shm/easyrsa/pki/956d84f3/temp.5.1
Using configuration from /dev/shm/easyrsa/pki/956d84f3/temp.5.1
Note: OPENSSL_CONF = /dev/shm/easyrsa/pki/956d84f3/temp.5.1
Enter pass phrase for /dev/shm/easyrsa/pki/private/ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :ASN.1 12:'c04'
Certificate is to be certified until Aug 31 18:50:51 2026 GMT (825 days)
Write out database with 1 new entries
Data Base Updated
# sign_req: signed cert 'c04' OK
Notice
------
Certificate created at:
* /dev/shm/easyrsa/pki/issued/c04.crt
# build_full: END sign_req
Notice
------
Inline file created:
* /dev/shm/easyrsa/pki/inline/c04.inline
Temp session preserved: /dev/shm/easyrsa/pki/tmp/lssl
# Exit: Final Success = true
The correct OPENSSL_CONF
file is used each time and verbose output confirms this.
When using LibreSSL the SSL config is expanded to
safessl-easyrsa.cnf
. However, the code reverts back to the last expandedopenssl-easyrsa.cnf
file, during the signing phasesign-req
.The simplest solution is to ALWAYS use
openssl-easyrsa.cnf
and ONLY expand it for use by LibreSSL wheneasyrsa_openssl
function is called. Effectively removing ALL use ofsafessl-easyrsa.cnf
.Example 1.0:
The
gen-req
phase correctly usesSafe SSL conf
above.temp.4.1
Example 1.1:
The Final SSL conf is set to
temp.5.1
Example 1.2:
The SSL conf file used by LibreSSL here is
temp.4.1
nottemp.5.1
, this drops the newly insertedcopy_extensions = copy
.Also, temp-file
temp.5.1
is not expanded to a Safe SSL config file.Example 1.3:
Completed.
So,
easyrsa
updates the wrong file when adding--copy-exts
data. For LibreSSL, thesafessl-easyrsa.cnf
file must be in use, notopenssl-easyrsa.cnf
.Using OpenSSL, the correct files are selected because there is no confusion about which SSL config file to use.