Closed TinCanTech closed 3 months ago
EasyRSA v3.2.0
v3.2.0
To reproduce: Generate a request with a SAN:
./easyrsa --verbose --nopass --san=DNS:s04.tct.org --san=IP:10.0.0.4 gen-req s04
Sign the request using --copy-ext, to copy the SAN; and --force-safe-ssl, to force here-doc expansion of openssl-easyrsa.cnf:
--copy-ext
--force-safe-ssl
here-doc
openssl-easyrsa.cnf
./easyrsa --verbose --nopass --copy-ext --force-safe-ssl sign-req server s04
The forced here-doc expansion over-writes the SSL config in use. This removes "copy_extensions = copy" which has been previously inserted.
"copy_extensions = copy"
The signed certificate does not have the expected SAN.
Link: #1158
EasyRSA
v3.2.0
To reproduce: Generate a request with a SAN:
./easyrsa --verbose --nopass --san=DNS:s04.tct.org --san=IP:10.0.0.4 gen-req s04
Sign the request using
--copy-ext
, to copy the SAN; and--force-safe-ssl
, to forcehere-doc
expansion ofopenssl-easyrsa.cnf
:./easyrsa --verbose --nopass --copy-ext --force-safe-ssl sign-req server s04
The forced
here-doc
expansion over-writes the SSL config in use. This removes"copy_extensions = copy"
which has been previously inserted.The signed certificate does not have the expected SAN.
Link: #1158