vpnmain.cgi: Fixes bug#13138 - root/host certificate set fails to be created

- The change to openssl-3.x results in the openssl commands that start with ca failing
   with the error message
     OpenSSL produced an error: <br>40E7B4719B730000:error:0700006C:configuration file
     routines:NCONF_get_string:no value:crypto/conf/conf_lib.c:315:group=<NULL>
     name=unique_subject
- The fix for this is to include the unique_subject = yes line into
   /var/ipfire/certs/index.txt.attr
- Additionally, based on the learnings from bug#13137 on OpenVPN, any openssl commands
   dealing with pkcs12 (.p12) files that were created with openssl-1.1.1x fail when being
   accessed with openssl-3.x due to the no longer supported algorithm. These can be
   accessed if the -legacy option is added to every openssl command dealing with pkcs12

Fixes: Bug#13138
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 6c1fd4cf00b9461b10c4a3f9dc5d6f9f9cac045d..f2aeecdf96720d8e48262aae547a83d4ae4d4dff 100644 (file)
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -193,7 +193,7 @@ sub cleanssldatabase {
                close FILE;
        }
        if (open(FILE, ">${General::swroot}/certs/index.txt.attr")) {
-               print FILE "";
+               print FILE "unique_subject = yes";
                close FILE;
        }
        unlink ("${General::swroot}/certs/index.txt.old");
@@ -213,6 +213,7 @@ sub newcleanssldatabase {
        }
        if (! -s ">${General::swroot}/certs/index.txt.attr") {
                open(FILE, ">${General::swroot}/certs/index.txt.attr");
+               print FILE "unique_subject = yes";
                close(FILE);
        }
        unlink ("${General::swroot}/certs/index.txt.old");
@@ -907,7 +908,7 @@ END
                # Extract the CA certificate from the file
                &General::log("ipsec", "Extracting caroot from p12...");
                if (open(STDIN, "-|")) {
-                       my $opt = " pkcs12 -cacerts -nokeys";
+                       my $opt = " pkcs12 -legacy -cacerts -nokeys";
                        $opt .= " -in $filename";
                        $opt .= " -out /tmp/newcacert";
                        $errormessage = &callssl ($opt);
@@ -920,7 +921,7 @@ END
                if (!$errormessage) {
                        &General::log("ipsec", "Extracting host cert from p12...");
                        if (open(STDIN, "-|")) {
-                               my $opt = " pkcs12 -clcerts -nokeys";
+                               my $opt = " pkcs12 -legacy -clcerts -nokeys";
                                $opt .= " -in $filename";
                                $opt .= " -out /tmp/newhostcert";
                                $errormessage = &callssl ($opt);
@@ -934,7 +935,7 @@ END
                if (!$errormessage) {
                        &General::log("ipsec", "Extracting private key from p12...");
                        if (open(STDIN, "-|")) {
-                               my $opt = " pkcs12 -nocerts -nodes";
+                               my $opt = " pkcs12 -legacy -nocerts -nodes";
                                $opt .= " -in $filename";
                                $opt .= " -out /tmp/newhostkey";
                                $errormessage = &callssl ($opt);
@@ -1939,7 +1940,7 @@ END
                # Extract the CA certificate from the file
                &General::log("ipsec", "Extracting caroot from p12...");
                if (open(STDIN, "-|")) {
-                       my $opt = " pkcs12 -cacerts -nokeys";
+                       my $opt = " pkcs12 -legacy -cacerts -nokeys";
                        $opt .= " -in $filename";
                        $opt .= " -out /tmp/newcacert";
                        $errormessage = &callssl ($opt);
@@ -1952,7 +1953,7 @@ END
                if (!$errormessage) {
                        &General::log("ipsec", "Extracting host cert from p12...");
                        if (open(STDIN, "-|")) {
-                               my $opt = " pkcs12 -clcerts -nokeys";
+                               my $opt = " pkcs12 -legacy -clcerts -nokeys";
                                $opt .= " -in $filename";
                                $opt .= " -out /tmp/newhostcert";
                                $errormessage = &callssl ($opt);
@@ -2197,7 +2198,7 @@ END
 
                # Create the pkcs12 file
                &General::log("ipsec", "Packing a pkcs12 file...");
-               $opt = " pkcs12 -export";
+               $opt = " pkcs12 -legacy -export";
                $opt .= " -inkey ${General::swroot}/certs/$cgiparams{'NAME'}key.pem";
                $opt .= " -in ${General::swroot}/certs/$cgiparams{'NAME'}cert.pem";
                $opt .= " -name \"$cgiparams{'NAME'}\"";