search

OpenVPN / easy-rsa

easy-rsa - Simple shell based CA utility
Other
4.02k stars 1.19k forks source link

Outline use and expansion of `openssl-easyrsa.cnf` #1158

Closed TinCanTech closed 3 months ago

TinCanTech commented 4 months ago

OpenSSL

OpenSSL does not require any expansion of openssl-easyrsa.cnf and will use it as designed by EasyRSA.

LibreSSL

LibreSSL does not allow openssl-easyrsa.cnf to contain any references to env-vars. Any attempt to do so fails.

This means that ancillary code, such as display_dn(), must either use an expanded SSL config file or use no config file at all.

Only the final, edited version of openssl-easyrsa.cnf needs to be expanded for the command in use. eg. sign-req.

Ancillary code

All ancillary code, eg. display_dn() ~can use export OPENSSL_CONF=/dev/null, to avoid loading the current config file~.

~This allows an unexpanded openssl-easyrsa.cnf to be used and edited by the script and only expanded prior to the final SSL command. eg. openssl x509.~

Here-doc use: OpenSSL

OpenSSL does not require expanding here-docs but can still use the built-in here-doc to provide an unexpanded openssl-easyrsa.cnf, when it is missing.

Here-doc use: LibreSSL

Use of an expanded here-doc for LibreSSL can only be done before the main command is called. This is due to commands like build-ca, which edit openssl-easyrsa.cnf on the fly. Using an expanded here-doc MUST be done after EASYRSA_REQ_CN is set, in order that the config file expands the commonName correctly. Expanding a here-doc, after editing the config file in place, incorrectly over-writes the changes made to the SSL config.

This means that, expanding openssl-easyrsa.cnf for LibreSSL can only be done via sed (or possibly awk). Expansion cannot be done via a here-doc after the file has been edited.

Conclusion

Expanding a here-doc for use by LibreSSL is incorrect. LibreSSL can use the unexpanded openssl-easyrsa.cnf, up until the command in use calls LibreSSL for the main command. Then use sed for expansion. Thus, removing here-doc expansion is required.

A here-doc can still be used to provide an unexpanded openssl-easyrsa.cnf, when it is missing from the installation.

Alternate conclusion under consideration

It is possible to use here-doc expansion for LibreSSL, provided that the here-doc is expanded AFTER EASYRSA_REQ_CN is set and BEFORE any subsequent edits are made to openssl-easyrsa.cnf.

~This would allow removal of sed expansion~ .. which is my preferred goal.

sed expansion of openssl-easyrsa.cnf in-place (not generated), is ALWAYS required for LibreSSL. Therefore, it is preferred to generate this file, unless the file in-place is not an EasyRSA original.

Notes:

TinCanTech commented 4 months ago

The most sensible solution seems to be:

  1. Create a global expanded SSL-cnf, for all commands.
  2. Re-create a new expanded SSL-cnf AFTER EASYRSA_REQ_CN has been set, for commands that require EASYRSA_REQ_CN.
  3. Use EASYRSA_SSL_CONF to track the SSL-cnf in use by the command.
  4. Use OPENSSL_CONF, set to EASYRSA_SSL_CONF, as required.

This only requires here-doc expansion, not sed.

This immediately supports both OpenSSL and LibreSSL, without requiring differentiation!

If openssl-easyrsa.cnf file in place is recognised, it can be ignored.

If not then it MUST be expanded by sed.