Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

build-ca: Command 'req', remove SSL option '-keyout' #1123

Merged
merged 2 commits into from
Apr 17, 2024
Merged

build-ca: Command 'req', remove SSL option '-keyout' #1123

merged 2 commits into from
Apr 17, 2024

Conversation

TinCanTech
Copy link
Collaborator

OpenSSL command 'req', option '-keyout' behaves differently between OpenSSL v3.x verses v1.x

When the private key is encrypted:

  • v1.x ignores '-keyout' and does not create a new key.
  • v3.x creates a new key with different parameters to the original key.

v3.x creates the original key, encrypted by AES-256-CBC; then creates the unnecessary, secondary key, encrypted by DES-EDE3-CBC.

Because EasyRSA has already generated the private key, the 'req' command must not generate a secondary key.

@TinCanTech
build-ca: Command 'req', remove SSL option '-keyout'
4e02c8a 
OpenSSL command 'req', option '-keyout' behaves differently between OpenSSL
v3.x verses v1.x

When the private key is encrypted:
- v1.x ignores '-keyout' and does not create a new key.
- v3.x creates a new key with different parameters to the original key.

v3.x creates the original key, encrypted by AES-256-CBC; then creates
the unnecessary, secondary key, encrypted by DES-EDE3-CBC.

Because EasyRSA has already generated the private key, the 'req' command
must not generate a secondary key.

Signed-off-by: Richard T Bonhomme <[email protected]>
@TinCanTech TinCanTech self-assigned this Apr 14, 2024
@TinCanTech TinCanTech added this to the v3.2.0 milestone Apr 14, 2024
@TinCanTech TinCanTech linked an issue Apr 14, 2024 that may be closed by this pull request
CA Private Key will be encrypted with des-ede3-cbc during build-ca with OpenSSL 3.x #1122
Open
@TinCanTech TinCanTech merged commit 52e9da6 into OpenVPN:master Apr 17, 2024
3 checks passed
@TinCanTech TinCanTech deleted the build-ca-fix-encrypt branch April 18, 2024 12:44
@BrewTestBot BrewTestBot mentioned this pull request May 18, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@TinCanTech TinCanTech

Labels
BUG-FIX ChangeLog Item Version 3.2.0-Release
Projects
None yet
Milestone
v3.2.0
Development

Successfully merging this pull request may close these issues.

CA Private Key will be encrypted with des-ede3-cbc during build-ca with OpenSSL 3.x
1 participant
@TinCanTech