tincantech / easy-tls Goto Github PK

If this utility gets acceptance and use then somebody is bound to fiddle with it and break something. easytls-index.txt is probably the most fragile element, so allow it to be rebuilt on-demand (Maybe with some warnings etc).

See:

Also, openssl can output random serial numbers that do not have 32 hex characters. easytls does not work correctly for any serial number which is not 32 hex chars. Something needs to be fixed ..

No need for a user defined list, it is too simple.

Because EasyRSA now allows duplicate CommonNames in openssl index.txt this could impact easytls-inline-index.txt.

Related also to #10 and #44

Deleting a record is only done when removing an inline file so the extra check:

[ -f $inline ] is overkill.

This is not meant to be spam:
OpenVPN/easy-rsa#366

./easytls build-tls-crypt-v2-client srv cli "metadata"

I always check this locally but it would be better if Travis could also run the same tests.

In much the same way that OpenVPN allows a server to disable clients by using --disable in a --client-config-dir file or dynamically generated by a script; In tls-crypt-v2-verify.sh allow for a pre-check of known bad certificate serial numbers to be processed prior to any further checks by checking a simple text list of bad serial numbers.

Please see: https://community.openvpn.net/openvpn/ticket/1260

regular expressions

Now that both verification methods work, try to beef up the searching regexp's

And have tls-crypt-v2-verify.sh use the list by default.

Fixed public IP client

If a client has a fixed public IP address or range then allow incorporating this into client specific metadata.
eg:

1. 11.12.13.14/32
2. 11.12.13.0/24
3. 2001:fa51:cafe:c0ff:ee00::0005:1aff
   This would require OpenVPN to present untrusted_ip to the script environment.

Investigate output not exit code

Windblows which.exe is a joke and which is not required anyway.

When appropriate, use the new --genkey syntax but also support the old format

Once revoked, the certificate file is moved to pki/revoked and renamed to serial-number.crt, so we cannot use it to retrieve serial number.

I get different results from Travis than I do locally.. needs investigating.

Could be something to do with easyrsa renew .. not sure :: Reminder

Will force metadata_version bump

Use standard *nix binaries awk sed printf etc.

Make a new project to run scripts in Windblows.

bde44e0 requires that crt_file is always set. This causes an issue when distinguishing between server cert and client cert is required. eg: build-tls-crypt-v2-client, which requires both server and client cert.

Also, add tls-crypt-v2-verify.sh to README.md

The endless task ..

Having put the work into creating a suitable metadata string the script no longer needs to support free form metadata.

eg: https://github.com/OpenVPN/easy-rsa/blob/f0129cfe6222820a85db2d394ab73d3c7759c5be/easyrsa3/easyrsa#L1285

ERROR: Missing: >..</pki/ca.crt

Possibly rename function to inline_index_update

Edit: Done

Currently, only random client certificate serial numbers are supported.

We have already failed so improve the functional logic

TLS-crypt-v2 client key, currently, cert serial number is stored as:
serial=B6718E34F5E5443DBF3BE9FABC59B042
Change this to drop the serial= when the key is created.