Save and Restore $EASYRSA_SSL_CONF for compound commands

Compound function build_full() calls gen_req() then sign_req(). However, between the two, $EASYRSA_SSL_CONF is set to a temp-file, which has now been deleted. This causes sign_req() to use a different SSL config file than that used by gen_req(). Also, '--ssl-conf' is ignored when secure_session() clears $EASYRSA_SSL_CONF. This change saves the original setting for $EASYRSA_SSL_CONF, which is then restored when remove_secure_session() is called. Also, secure_session() no longer clears $EASYRSA_SSL_CONF, preserving the setting of '--ssl-conf'. This mechanism also covers easyrsa-tools.lib:read_db(), which also resets the temporary session. This does not require updating easyrsa-tool.lib version (@v322). Signed-off-by: Richard T Bonhomme <[email protected]>
OpenVPN · Dec 5, 2024 · 7cdb14d · 7cdb14d
1 parent d693711
commit 7cdb14d
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 11 deletions.
diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
@@ -840,8 +840,7 @@ secure_session - Missing temporary directory:
 				die "secure_session - temp-file EXISTS"
 
 			# New session requires safe-ssl conf
-			unset -v session OPENSSL_CONF \
-				EASYRSA_SSL_CONF safe_ssl_cnf_tmp \
+			unset -v session OPENSSL_CONF safe_ssl_cnf_tmp \
 				working_safe_ssl_conf working_safe_org_conf
 
 			easyrsa_err_log="$secured_session/error.log"
@@ -859,8 +858,11 @@ remove_secure_session() {
 	if rm -rf "$secured_session"; then
 		verbose "\
 remove_secure_session: DELETED: $secured_session"
-		unset -v secured_session OPENSSL_CONF \
-			EASYRSA_SSL_CONF safe_ssl_cnf_tmp \
+
+		# Restore original EASYRSA_SSL_CONF
+		EASYRSA_SSL_CONF="$original_ssl_cnf"
+
+		unset -v secured_session OPENSSL_CONF safe_ssl_cnf_tmp \
 			working_safe_ssl_conf working_safe_org_conf
 		return
 	fi
@@ -4666,6 +4668,9 @@ verify_working_env() {
 	# and easyrsa-tools.lib
 	locate_support_files
 
+	# Save original EASYRSA_SSL_CONF
+	original_ssl_cnf="$EASYRSA_SSL_CONF"
+
 	verbose "verify_working_env: COMPLETED Handover-to: $cmd"
 } # => verify_working_env()
 

diff --git a/easyrsa3/easyrsa-tools.lib b/easyrsa3/easyrsa-tools.lib
@@ -414,14 +414,12 @@ read_db() {
 
 		verbose "***** Read next record *****"
 
-		# Recreate temp session
-		remove_secure_session || \
-			die "read_db - remove_secure_session"
-		secure_session || \
-			die "read_db - secure_session"
-		# Recreate openssl-easyrsa.cnf (Temp)
-		write_global_safe_ssl_cnf_tmp
+		# Recreate temp-session and
+		# drop edits to SSL Conf file
+		remove_secure_session
+		secure_session
 		locate_support_files
+		write_global_safe_ssl_cnf_tmp
 
 		# Interpret the db/certificate record
 		unset -v db_serial db_cn db_revoke_date db_reason