mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-13 04:22:58 +02:00
16d664b2bd
- The update to openssl-3.2.x introduced a bug fix which now gives an error if the subjectKeyIdentifier (SKID) or authorityKeyIdentifier (AKID) is in the x509 extensions for a CSR. - See the following discssion in the openssl github issues https://github.com/openssl/openssl/issues/22966#issuecomment-1858396738 - The SKID & AKID should never have been specified in the CSR but due to a bug they were never flagged with an error, just ignored. Since the bug fix for that bug was put into OpenSSL-3.2.0 the prescence of the SKID & AKID in the CSR causes an error to be flagged. - The consequence of this is that in CU183 trying to create a new x509 root/host certificate gives an error when the CSR is generated so only the root certificate is created and not the host certificate. - Tested out the removal of the SKID & AKID lines from the [ server ] section of the ovpn.cnf file and the root/host certificate set was created without any issue. - Then tested the creation of a RW client connection and that worked with no problems. Also creating a fresh N2N connection worked without any problems. - Also tested restoring from an earlier backup. The RW and N2N connections worked without issues with the AKID and SKID missing from the [ server ] section. - It would be good if this could be merged into CU184 for final testing. Fixes: Bug#13595 Tested-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>