Updated "easy-rsa" for OpenSSL 1.0.0

This patch fixes remaining issues with Trac ticket #125. It does the following:

- Update easy-rsa/2.0/README
- Rename easy-rsa/2.0/openssl.cnf as openssl-0.9.8.cnf
- Add easy-rsa/2.0/openssl-1.0.0.cnf
- Updated vars.bat.sample to use openssl-1.0.0.cnf
- Updated win/openvpn.nsi to use openssl-1.0.0.cnf
- Add a few undefined variables to vars and vars.bat.sample:
  required by OpenSSL 1.0.0 (at least on Windows)

Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
Tested-by: Samuli Seppänen <samuli@openvpn.net>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>

diff --git a/easy-rsa/2.0/README b/easy-rsa/2.0/README
index bde0d8c0c22dd1794ca1589a7373596d20eccf4c..6f5395c1bcad33ded7e4f58c9701d6642e779ecf 100644 (file)
--- a/easy-rsa/2.0/README
+++ b/easy-rsa/2.0/README
@@ -74,8 +74,8 @@ Release Notes for easy-rsa-2.0
 INSTALL easy-rsa
 
 1. Edit vars.
-2. Set KEY_CONFIG to point to the openssl.cnf file
-   included in this distribution.
+2. Set KEY_CONFIG to point to the correct openssl-<version>.cnf
+   file included in this distribution.
 3. Set KEY_DIR to point to a directory which will
    contain all keys, certificates, etc.  This
    directory need not exist, and if it does,

diff --git a/easy-rsa/2.0/openssl.cnf b/easy-rsa/2.0/openssl-1.0.0.cnf
similarity index 93%
rename from easy-rsa/2.0/openssl.cnf
rename to easy-rsa/2.0/openssl-1.0.0.cnf
index 3e4d3b3482b63710ec0c3702ddba249640a6126a..fa258a54f04ba64ebc40f18be9c1594f7bd0cb81 100755 (executable)
--- a/easy-rsa/2.0/openssl.cnf
+++ b/easy-rsa/2.0/openssl-1.0.0.cnf
@@ -1,9 +1,4 @@
-# For use with easy-rsa version 2.0
-
-#
-# OpenSSL example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
+# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
 
 # This definition stops the following lines choking if HOME isn't
 # defined.
@@ -15,12 +10,12 @@ openssl_conf                = openssl_init
 # Extra OBJECT IDENTIFIER info:
 #oid_file              = $ENV::HOME/.oid
 oid_section            = new_oids
-engines                 = engine_section
+engines                        = engine_section
 
 # To use this configuration file with the "-extfile" option of the
 # "openssl x509" utility, name here the section containing the
 # X.509v3 extensions to use:
-# extensions           = 
+# extensions           =
 # (Alternatively, use a configuration file that has only
 # X.509v3 extensions in its main [= default] section.)
 
@@ -48,7 +43,7 @@ new_certs_dir = $dir                  # default place for new certs.
 certificate    = $dir/ca.crt           # The CA certificate
 serial         = $dir/serial           # The current serial number
 crl            = $dir/crl.pem          # The current CRL
-private_key    = $dir/ca.key           # The private key
+private_key    = $dir/ca.key           # The private key
 RANDFILE       = $dir/.rand            # private random number file
 
 x509_extensions        = usr_cert              # The extentions to add to the cert
@@ -59,7 +54,7 @@ x509_extensions       = usr_cert              # The extentions to add to the cert
 
 default_days   = 3650                  # how long to certify for
 default_crl_days= 30                   # how long before next CRL
-default_md     = md5                   # which md to use.
+default_md     = md5                   # use public key default MD
 preserve       = no                    # keep passed DN ordering
 
 # A few difference way of specifying how similar the request should look
@@ -102,14 +97,12 @@ x509_extensions    = v3_ca # The extentions to add to the self signed cert
 # input_password = secret
 # output_password = secret
 
-# This sets a mask for permitted string types. There are several options. 
+# This sets a mask for permitted string types. There are several options.
 # default: PrintableString, T61String, BMPString.
-# pkix  : PrintableString, BMPString.
-# utf8only: only UTF8Strings.
+# pkix  : PrintableString, BMPString (PKIX recommendation after 2004).
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
 # MASK:XXXX a literal mask value.
-# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
-# so use this option with caution!
 string_mask = nombstr
 
 # req_extensions = v3_req # The extensions to add to a certificate request
@@ -151,6 +144,7 @@ organizationalUnitName_default = $ENV::KEY_OU
 commonName_default = $ENV::KEY_CN
 name_default = $ENV::KEY_NAME
 
+
 # SET-ex3                      = SET extension number 3
 
 [ req_attributes ]
@@ -196,6 +190,7 @@ authorityKeyIdentifier=keyid,issuer:always
 extendedKeyUsage=clientAuth
 keyUsage = digitalSignature
 
+
 # This stuff is for subjectAltName and issuerAltname.
 # Import the email address.
 # subjectAltName=email:copy
@@ -214,8 +209,8 @@ keyUsage = digitalSignature
 
 # JY ADDED -- Make a cert with nsCertType set to "server"
 basicConstraints=CA:FALSE
-nsCertType                     = server
-nsComment                      = "Easy-RSA Generated Server Certificate"
+nsCertType                     = server
+nsComment                      = "Easy-RSA Generated Server Certificate"
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer:always
 extendedKeyUsage=serverAuth
@@ -288,4 +283,3 @@ dynamic_path = /usr/lib/engines/engine_pkcs11.so
 MODULE_PATH = $ENV::PKCS11_MODULE_PATH
 PIN = $ENV::PKCS11_PIN
 init = 0
-

diff --git a/easy-rsa/2.0/vars b/easy-rsa/2.0/vars
index cded8858581b47370d2eabc11628ce9c4fe8e551..2ea1ceda2132dc51f4d315ea74f5ee1096632ebd 100755 (executable)
--- a/easy-rsa/2.0/vars
+++ b/easy-rsa/2.0/vars
@@ -66,3 +66,9 @@ export KEY_PROVINCE="CA"
 export KEY_CITY="SanFrancisco"
 export KEY_ORG="Fort-Funston"
 export KEY_EMAIL="me@myhost.mydomain"
+export KEY_EMAIL=mail@host.domain
+export KEY_CN=changeme
+export KEY_NAME=changeme
+export KEY_OU=changeme
+export PKCS11_MODULE_PATH=changeme
+export PKCS11_PIN=1234

diff --git a/easy-rsa/Windows/vars.bat.sample b/easy-rsa/Windows/vars.bat.sample
index 3c4b607a7fdd37ea0b48aaa1b06742b0decb87b7..36e6f7167f1e7b7ad932fd9d2af677e4ee11b3e9 100644 (file)
--- a/easy-rsa/Windows/vars.bat.sample
+++ b/easy-rsa/Windows/vars.bat.sample
@@ -4,7 +4,7 @@ rem the openssl.cnf file included
 rem with easy-rsa.
 
 set HOME=%ProgramFiles%\OpenVPN\easy-rsa
-set KEY_CONFIG=openssl.cnf
+set KEY_CONFIG=openssl-1.0.0.cnf
 
 rem Edit this variable to point to
 rem your soon-to-be-created key
@@ -33,3 +33,8 @@ set KEY_PROVINCE=CA
 set KEY_CITY=SanFrancisco
 set KEY_ORG=OpenVPN
 set KEY_EMAIL=mail@host.domain
+set KEY_CN=changeme
+set KEY_NAME=changeme
+set KEY_OU=changeme
+set PKCS11_MODULE_PATH=changeme
+set PKCS11_PIN=1234

diff --git a/win/openvpn.nsi b/win/openvpn.nsi
index d667d760266663062727ceb8cff3298caeb28e85..29d34f1d86d95047d751d89f1a74583064f732a9 100755 (executable)
--- a/win/openvpn.nsi
+++ b/win/openvpn.nsi
@@ -274,7 +274,7 @@ Section "${PRODUCT_NAME} RSA Certificate Management Scripts" SecOpenVPNEasyRSA
 
   # Original nsi script looked for ${EASYRSA}\2.0\openssl.cnf.sample. A newer
   # openssl.cnf is needed on OpenVPN 2.2+.
-  File "${EASYRSA}\Windows\openssl.cnf"
+  File "${EASYRSA}\2.0\openssl-1.0.0.cnf"
 
   File "${EASYRSA}\Windows\vars.bat.sample"