Summary: | net-misc/openvpn-2.0.9 introduces/overwrites new / with incompatible default config for easy-rsa | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Alexander Stoll <technoworx> |
Component: | Current packages | Assignee: | Cédric Krier <cedk> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | denilsonsa, paolo.pedroni |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: | Patch to fix the easy-rsa directory |
Description
Alexander Stoll
2009-06-10 16:09:14 UTC
The real problem in this case is that the ebuild "forgets" to copy one file in the easy-rsa directory. The file in question is easy-rsa/whichopensslcnf which is used to select the openssl configuration between current and openssl-0.9.6. Another (small) mistake in the ebuild is that openssl-0.9.6.cnf is made executable by the 'doexe *-* pkitool' command in the src_install section of the ebuild. The attached patch should (hopefully) fix both issues, please apply, check and report your findings. Created attachment 195073 [details, diff]
Patch to fix the easy-rsa directory
Applied in CVS Thanks Sorry for the late reply/testing... (In reply to comment #1) > The real problem in this case is that the ebuild "forgets" to copy one file in > the easy-rsa directory. The file in question is easy-rsa/whichopensslcnf which > is used to select the openssl configuration between current and openssl-0.9.6. I must admit I haven´t looked into the ebuilds... > Another (small) mistake in the ebuild is that openssl-0.9.6.cnf is made > executable by the 'doexe *-* pkitool' command in the src_install section of the > ebuild. > > The attached patch should (hopefully) fix both issues, please apply, check and > report your findings. Still not fixed, the revoke script still fails because of the pkcs11 section in the active conf: # ./revoke-full client2 --> Using configuration from /usr/share/openvpn/easy-rsa/openssl.cnf error on line 282 of config file '/usr/share/openvpn/easy-rsa/openssl.cnf' 26484:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 282 Using configuration from /usr/share/openvpn/easy-rsa/openssl.cnf error on line 282 of config file '/usr/share/openvpn/easy-rsa/openssl.cnf' 26485:error:0E065068:configuration file routines:STR_COPY:variable has no value:conf_def.c:629:line 282 cat: crl.pem: Datei oder Verzeichnis nicht gefunden Error opening certificate file client2.crt 26487:error:02001002:system library:fopen:No such file or directory:bss_file.c:356:fopen('client2.crt','r') 26487:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:358: unable to load certificate Whoever utilizes pkcs11 cryptographic tokens needs to modify his setup beyond this simple preconfiguration so I see no reason for having this section uncommented... Last one, would it not make much more sense to also increase the default_crl_days to 3650 days? My proposed patch: --- openssl.cnf.orig 2009-06-22 00:35:27.000000000 +0200 +++ openssl.cnf 2009-06-22 00:58:25.000000000 +0200 @@ -58,7 +58,7 @@ # crl_extensions = crl_ext default_days = 3650 # how long to certify for -default_crl_days= 30 # how long before next CRL +default_crl_days= 3650 # how long before next CRL default_md = md5 # which md to use. preserve = no # keep passed DN ordering @@ -277,9 +277,9 @@ #pkcs11 = pkcs11_section [ pkcs11_section ] -engine_id = pkcs11 -dynamic_path = /usr/lib/engines/engine_pkcs11.so -MODULE_PATH = $ENV::PKCS11_MODULE_PATH -PIN = $ENV::PKCS11_PIN -init = 0 +#engine_id = pkcs11 +#dynamic_path = /usr/lib/engines/engine_pkcs11.so +#MODULE_PATH = $ENV::PKCS11_MODULE_PATH +#PIN = $ENV::PKCS11_PIN +#init = 0 Fix in openvpn-2.1_rc20 |