certificates: use our own ssl config from now on for #280

Fixes LibreSSL shipping a not so usable openssl.cnf that gets picked up by php-openssl for mostly random reasons.

certificates: use our own ssl config from now on for #280
Fixes LibreSSL shipping a not so usable openssl.cnf that gets picked up by php-openssl for mostly random reasons.
c88a4f7f · Franco Fichtner · b4011e9e · c88a4f7f · c88a4f7f · c88a4f7f
Commit c88a4f7f authored Aug 18, 2015 by Franco Fichtner
Expand all Show whitespace changes
Inline Side-by-side

Showing with 378 additions and 30 deletions

certs.inc src/etc/inc/certs.inc +27 -23

rc src/etc/rc +0 -7

opnsense.cnf src/etc/ssl/opnsense.cnf +351 -0

No files found.
--- a/src/etc/inc/certs.inc
+++ b/src/etc/inc/certs.inc
@@ -27,8 +27,6 @@
        POSSIBILITY OF SUCH DAMAGE.
 */

-define("OPEN_SSL_CONF_PATH", "/etc/ssl/openssl.cnf");
-
 global $openssl_digest_algs;
 $openssl_digest_algs = array("sha1", "sha224", "sha256", "sha384", "sha512");

@@ -128,15 +126,16 @@ function ca_chain(& $cert) {
 	return "";
 }

-
-function ca_create(& $ca, $keylen, $lifetime, $dn, $digest_alg = "sha256") {
-
+function ca_create(&$ca, $keylen, $lifetime, $dn, $digest_alg = 'sha256')
+{
 	$args = array(
-		"x509_extensions" => "v3_ca",
-		"digest_alg" => $digest_alg,
-		"private_key_bits" => (int)$keylen,
-		"private_key_type" => OPENSSL_KEYTYPE_RSA,
-		"encrypt_key" => false);
+		'config' => '/usr/local/etc/ssl/opnsense.cnf',
+		'private_key_type' => OPENSSL_KEYTYPE_RSA,
+		'private_key_bits' => (int)$keylen,
+		'x509_extensions' => 'v3_ca',
+		'digest_alg' => $digest_alg,
+		'encrypt_key' => false
+	);

 	// generate a new key pair
 	$res_key = openssl_pkey_new($args);
@@ -181,33 +180,38 @@ function cert_import(& $cert, $crt_str, $key_str) {
 	return true;
 }

-function cert_create(& $cert, $caref, $keylen, $lifetime, $dn, $digest_alg = "sha256") {
-
-	$ca =& lookup_ca($caref);
-	if (!$ca)
+function cert_create(&$cert, $caref, $keylen, $lifetime, $dn, $digest_alg = 'sha256')
+{
+	$ca = &lookup_ca($caref);
+	if (!$ca) {
 		return false;
+	}

 	$ca_str_crt = base64_decode($ca['crt']);
 	$ca_str_key = base64_decode($ca['prv']);
 	$ca_res_crt = openssl_x509_read($ca_str_crt);
 	$ca_res_key = openssl_pkey_get_private(array(0 => $ca_str_key, 1 => ""));
-	if(!$ca_res_key) return false;
+	if (!$ca_res_key) {
+		return false;
+	}
 	$ca_serial = ++$ca['serial'];

-	// in case of using Subject Alternative Names use other sections (with postfix '_san')
-	// pass subjectAltName over environment variable 'SAN'
+	/* subjectAltName can be set _only_ via configuration file */
 	if ($dn['subjectAltName']) {
-		putenv("SAN={$dn['subjectAltName']}"); // subjectAltName can be set _only_ via configuration file
+		/* TODO: currently disabled */
+		putenv("SAN={$dn['subjectAltName']}");
 		$cert_type .= '_san';
 		unset($dn['subjectAltName']);
 	}

 	$args = array(
-		"x509_extensions" => "usr_cert",
-		"digest_alg" => $digest_alg,
-		"private_key_bits" => (int)$keylen,
-		"private_key_type" => OPENSSL_KEYTYPE_RSA,
-		"encrypt_key" => false);
+		'config' => '/usr/local/etc/ssl/opnsense.cnf',
+		'private_key_type' => OPENSSL_KEYTYPE_RSA,
+		'private_key_bits' => (int)$keylen,
+		'x509_extensions' => 'usr_cert',
+		'digest_alg' => $digest_alg,
+		'encrypt_key' => false
+	);

 	// generate a new key pair
 	$res_key = openssl_pkey_new($args);

--- a/src/etc/rc
+++ b/src/etc/rc
@@ -90,13 +90,6 @@ if [ ! -f /conf/config.xml ]; then
 	echo "done."
 fi

-# Bootstrap openssl.cnf for port if necessary
-if [ ! -f /usr/local/openssl/openssl.cnf ]; then
-	echo -n "Bootstrapping openssl.cnf..."
-	cp /etc/ssl/openssl.cnf /usr/local/openssl/openssl.cnf
-	echo "done."
-fi
-
 # Disable APM on ATA drives.  Leaving this on will kill
 # drives long-term, especially laptop drives, by generating
 # excessive load cycles.

--- a/src/etc/ssl/opnsense.cnf
+++ b/src/etc/ssl/opnsense.cnf