ovpnmain.cgi: Fixes Bug#13137 - Existing n2n client connection created with openssl...

- With a n2n connection .p12 certificate created wityh openssl-1.1.1x the line
   providers legacy default is required in the n2nconf file to enable it to start.
- Any openssl-3.x attempt to open a .p12 file created with openssl-1.1.1x will result in
   a failure and an error message. All the openssl commands dealing with pkcs12 (.p12)
   files need to have the -legacy option added to them.

Fixes: Bug#13137
Tested-by: Adolf Belka <adolf.belka@ipfire.org>
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>

diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi
index 5c4fad0a5f3503906e991cb42b95160049f78936..88106251e806b3e988c39be6aeaec1908c145968 100755 (executable)
--- a/html/cgi-bin/ovpnmain.cgi
+++ b/html/cgi-bin/ovpnmain.cgi
@@ -1115,6 +1115,7 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General
   print CLIENTCONF "# Activate Management Interface and Port\n";
   if ($cgiparams{'OVPN_MGMT'} eq '') {print CLIENTCONF "management localhost $cgiparams{'DEST_PORT'}\n"}
   else {print CLIENTCONF "management localhost $cgiparams{'OVPN_MGMT'}\n"};
+  print CLIENTCONF "providers legacy default\n";
   close(CLIENTCONF);
 
 }
@@ -1648,7 +1649,7 @@ END
                goto ROOTCERT_ERROR;
            }
        } else {        # child
-           unless (exec ('/usr/bin/openssl', 'pkcs12', '-cacerts', '-nokeys',
+           unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-cacerts', '-nokeys',
                    '-in', $filename,
                    '-out', "$tempdir/cacert.pem")) {
                $errormessage = "$Lang::tr{'cant start openssl'}: $!";
@@ -1671,7 +1672,7 @@ END
                goto ROOTCERT_ERROR;
            }
        } else {        # child
-           unless (exec ('/usr/bin/openssl', 'pkcs12', '-clcerts', '-nokeys',
+           unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-clcerts', '-nokeys',
                    '-in', $filename,
                    '-out', "$tempdir/hostcert.pem")) {
                $errormessage = "$Lang::tr{'cant start openssl'}: $!";
@@ -1694,7 +1695,7 @@ END
                goto ROOTCERT_ERROR;
            }
        } else {        # child
-           unless (exec ('/usr/bin/openssl', 'pkcs12', '-nocerts',
+           unless (exec ('/usr/bin/openssl', 'pkcs12', '-legacy', '-nocerts',
                    '-nodes',
                    '-in', $filename,
                    '-out', "$tempdir/serverkey.pem")) {
@@ -2156,6 +2157,7 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){
    if ($confighash{$cgiparams{'KEY'}}[22] eq '') {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[29]\n"}
     else {print CLIENTCONF "management localhost $confighash{$cgiparams{'KEY'}}[22]\n"};
    print CLIENTCONF "# remsub $confighash{$cgiparams{'KEY'}}[11]\n";
+   print CLIENTCONF "providers legacy default\n";
 
 
     close(CLIENTCONF);
@@ -3296,6 +3298,7 @@ END
        print FILE "# Logfile\n";
        print FILE "status-version 1\n";
        print FILE "status /var/run/openvpn/$n2nname[0]-n2n 10\n";
+       print FILE "providers legacy default\n";
        close FILE;
 
        unless(move("$tempdir/$uplconffilename", "${General::swroot}/ovpn/n2nconf/$n2nname[0]/$uplconffilename2")) {
@@ -4242,7 +4245,7 @@ if ($cgiparams{'TYPE'} eq 'net') {
 
            # Create the pkcs12 file
            # The system call is safe, because all arguments are passed as an array.
-           system('/usr/bin/openssl', 'pkcs12', '-export',
+           system('/usr/bin/openssl', 'pkcs12', '-legacy', '-export',
                '-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem",
                '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem",
                '-name', $cgiparams{'NAME'},