Bug 13808

Summary:	vpnmain.cgi provides client certs with the sha1 hash instead of the sha256 hash
Product:	IPFire	Reporter:	Adolf Belka <adolf.belka>
Component:	---	Assignee:	Adolf Belka <adolf.belka>
Status:	ASSIGNED ---	QA Contact:
Severity:	- Unknown -
Priority:	- Unknown -	CC:	michael.tremer
Version:	2
Hardware:	unspecified
OS:	Unspecified

Description Adolf Belka 2025-01-14 19:30:55 UTC

In June 2023 ovpnmain.cgi was updated to take into account the move to Openssl-3.x by the addition of the -legacy option into the openssl commands.

The same action was taken by myself with vpnmain.cgi.

Subsequently an update was made to ovpnmain.cgi that only added the -legacy option if the certificate that had been created was a legacy version.

This update was not subsequently put into vpnmain.cgi, so all certificates produced are legacy ones, even if the root/host certificates for the ipsec page have been created with openssl-3.x

Comment 1 Adolf Belka 2025-01-14 19:37:39 UTC

I have done a test of removing the -legacy option from line 2218 in vpnmain.cgi

Creating a new client certificate then ended up with a non legacy version that had the MAC: sha256 message in it indicating that it was not legacy based.

I will go though the vpnmain.cgi and modify all appropriate entries to only use -legacy if the involved .p12 file was legacy based. This should only happen if users are still using a root/host x509 certificate set that was created before openssl-3.x was installed, or from a restore from an old backup or from an uploaded root/host certificate set that was created with openssl-1.x