- The update to openssl-3.2.x introduced a bug fix which now gives an error if the
subjectKeyIdentifier (SKID) or authorityKeyIdentifier (AKID) is in the x509 extensions
for a CSR.
- See the following discssion in the openssl github issues
https://github.com/openssl/openssl/issues/22966#issuecomment-1858396738
- The SKID & AKID should never have been specified in the CSR but due to a bug they were
never flagged with an error, just ignored. Since the bug fix for that bug was put into
OpenSSL-3.2.0 the prescence of the SKID & AKID in the CSR causes an error to be flagged.
- The consequence of this is that in CU183 trying to create a new x509 root/host
certificate gives an error when the CSR is generated so only the root certificate is
created and not the host certificate.
- Tested out the removal of the SKID & AKID lines from the [ server ] section of the
ovpn.cnf file and the root/host certificate set was created without any issue.
- Then tested the creation of a RW client connection and that worked with no problems. Also
creating a fresh N2N connection worked without any problems.
- Also tested restoring from an earlier backup. The RW and N2N connections worked without
issues with the AKID and SKID missing from the [ server ] section.
- It would be good if this could be merged into CU184 for final testing.
Fixes: Bug#13595
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
- Added extended key usage based on RFC3280 TLS rules for OpenVPNs OpenSSL configuration,
so '--remote-cert-tls' can be used instead of the old and deprecated '--ns-cert-type'
if the host certificate are newely generated with this options.
Nevertheless both directives (old and new) will work also with old CAs.
- Automatic detection if the host certificate uses the new options.
If it does, '--remote-cert-tls server' will be automatically set into the client
configuration files for Net-to-Net and Roadwarriors connections.
If it does NOT, the old '--ns-cert-type server' directive will be set in the client
configuration file.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Added HMAC algorithm selection menu for N2N and RW.
Added cipher selection menu for N2N connections.
Added DH key selection also for existing installations incl. DH key upload possibility.
Adjusted the ovpn main WUI design to IPSec WUI.
Extend key lenght for CA, cert and control channel with faktor 2.
Some code and typo cleanup.
Bugfixes for #10317, #10149, #10462, #10463
V.2 New changes:
Integrated changes in langs and ovpnmain.cgi until 20.03.2014 2.15-Beta3.
ovpn.cnf have now default bits of 2048 instead of 1024.
ovpn.cnf default_md works now with sha256 instead of md5.
Bugfix: By new installation the auth directive for RWs is faded out #10462 Comment 15.
Added error message if the crl should be displayed but no crl is present.
