Navigation:
Browse pkgsrc
(this page)
security easy-rsa
CVSweb ] [ 
Homepage ] [ 
RSS ] [ 
Required by ] 2026-03-30 10:24:00 by Adam Ciarcinski | Files touched by this commit (2) |  |
Log message: easy-rsa: updated to 3.2.6 3.2.6 (2026-03-13) * Introduce command 'import-tls-key' - Import an OpenVPN TLS key (cb4735b) * X509-Type ca: Enable 'basicConstraints = critical' for CA/subCA certificates (5a5adb4) * inline_file(): $inline_incomplete, add descriptive message (0df7946) * Introduce new command 'import-ca' (fae716f) * inline_file(): Introduce external CA list file (ce61d91) * set_no_clobber(): Try shell long option 'set -o noclobber' first (87e31ce) * CI: Enable shell switch errexit, set by env-var $EASYRSA_SET_ERREXIT (772d6f6) |
| 2025-12-22 09:00:12 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message: easy-rsa: updated to 3.2.5 3.2.5 (2025-12-13) * ssl_cert_digest(): Support Edwards curve with LibreSSL (1eaa31e) * New function ssl_cert_sig_digest() (f9d2b49) * Add '-b' alias for --batch (575a964) * Introduce peer-fingerprint inline lists (94c3690) * Create new inline file type 'pfp', peer-fingerprint (353adc5) * export_pkcs(), PKCS12 inline: Respect $EASYRSA_NO_INLINE (35d7ad3) Original bug report: Sébastien Luttringer * Introduce global option --force-vars (5560d3c) * source_vars(): Add 'set -e' to dry-run, sub-shell sourcing vars (6598711) * source_vars(): Add grep check for assignment by '=' (fc36545) * Update EasyRSA-Advanced.md (276eaa5) * Introduce global option --no-inline (75e52f7) * Replace $ignore_vars with $EASYRSA_NO_VARS (Revert 3c0ca17) (5879488) * Libressl: Use ONLY $EASYRSA_FORCE_SAFE_SSL (25b7485) * select_x509_type_tmp(): This compliments select_ssl_cnf_tmp() (dc754e4) * select_ssl_cnf_tmp(): Replace provide_EASYRSA_SSL_CONF_tmp() (538ad3d) * inline_file(): Make unknown certificate type non-fatal (b2373e2) * Remove 'kdc' as a 'built-in' X509-type (13e37d9) * peer-fingerprint: Allow 'show-cert' to be used (7cf55e0) * init-pki: Introduce configurable cryptography (a8da392) * Update OpenSSL for Windows to 3.6.0 (62a0cea) * Replace "local" openssl-easyrsa.cnf (80702d6..b31443d) Original bug report: 1390 'OpenBSD/LibreSSL failure' With these changes, Easy-RSA now does the following: Create a global safe SSL config file exactly as before and export it to $OPENSSL_CONF, for use by any SSL library. This file is specifically required by check_serial_unique(), which must have the Easy-RSA CA configured file. Use either an existing openssl-easyrsa.cnf file OR provide a default, unexpanded tmp-file, which is exported to $EASYRSA_SSL_CONF, for use ONLY by Easy-RSA. This must be unexpanded to allow $EASYRSA_REQ_CN to be configured by the Easy-RSA command in use (eg. sign-req) once the Easy-RSA command line has been fully parsed. When calling easyrsa_openssl(), for LibreSSL or --force-safe-ssl, expand the current $EASYRSA_SSL_CONF and export that to $OPENSSL_CONF, for use by the called SSL command. Otherwise, use the current, unexpanded file and export that. |
| 2025-09-03 09:46:42 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message: easy-rsa: updated to 3.2.4 3.2.4 (2025-08-27) * build-ca: get_passphrase(), write passphrase directly to temp-file (0cb9cdd) * create_legacy_stream(): Designate 'selfsign' as NOT user configurable (f564b1c) * self_sign(): awk action, correct comment and reduce script (8e23ba3) * forbid_selfsign(): Allow issuer certificate serial to be absent (09dffec) Original bug report: github-user topical * self_sign(): Force use of Easy-RSA X509-type file 'selfsign' (7e39cc6) * random: Use verify_working_env() to configure EASYRSA_OPENSSL (32eb73d) * set_no_clobber(): Add simple error detection (0f93880) * revoke: Archive request and private key files and expand help (79754da) Original bug report: github-user spacefreak86 * Remove 'easyrsa_mkdir()', use only 'mkdir' (5738f3d) * help: Correct build-ca 'rawca' command option (0447f42) * Windows easyrsa-shell-init.sh: Modernize prompt (5bf2e99) * Windows UT: Update 'wop-test.sh' to latest 'easyrsa-shell-init.sh' (ea5b168) * verify_openvpn(): Convert Windows path '\' to *nix path '/' (75a8fdd) * verify_openvpn(): Windows, add check for 'openvpn.exe' (10c6267) * gen-crl: Replace file-move with file-copy-preserve-attribs (4cc1d48) * Windows easyrsa-shell-init.sh: Add non-fatal check for 'openvpn.exe' (bb78615) * Windows easyrsa-shell-init.sh: Require confirmation for User-Home mode (bfa6cfd) * Windows easyrsa-shell-init.sh: Allow Easy-RSA to use '\User\$HOME' (f194da5) * mutual_exclusions(): Include basic checks for --startdate/--enddate (e1478c3) * Windows easyrsa-shell-init.sh: Replace 'read -p' (49b2181) * inline: Include missing OpenVPN TLS key to cause INCOMPLETE warning (d98eee6) * Verbose: Make verbose messages command and function aware (7634b94) * CI: Add OpenSSL-3.5.1-LTS and LibreSSL-4.1.0 to private test suite * secure_session(): Remove unnecessary check for existing directory (1322177) * all_legacy_files_v2(): Do not create PKI directory (b0260da) * Replace PKI and CA initialisation flags with command switch flags (2bdf582) * verify_working_env(): Move lock-file request to after PKI check (071405d) * Move basic sanity checks to verify_working_env() (509a36e) * New global option: --no-lockfile = env-var: $EASYRSA_NO_LOCKFILE (46c8647) * default_overview(): Add peer-fingerprint mode PKI identification (c9a0152) * help: Add in use algorithm and key-size/curve to top level status (10778cc) * help: Move 'utils' to command list and detailed help (e965234) * Restructure help (65c2bce) * export-p12: Split $p12_cipher_opts into respective parts (48bb8ee) * export-p12: Move inline file to 'inline/private' folder (22cabcb) * export-p12: Rename inline file extension to '.inline-p12' (22cabcb) |
| 2025-07-21 10:47:11 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message: easy-rsa: updated to 3.2.3 3.2.3 Update OpenSSL to v3.5.0 renew: Print 'unique_subject = no' to index.txt.attr check_serial_unique(): Check for duplicate Subject error Correctly define options names - Remove wild-card pattern Remove all references to file:easyrsa-tools.lib Reinstate old function as 'db_date_to_iso_8601()' [Renamed] expire_status_v2(): Refactor 'if' statement to capture error correctly source_vars() improvements add_critical_attrib(): Do not add 'critical' if 'critical' exists inline_file(): Include DH file or placeholder, for RSA Servers Fix shellcheck warnings Introduce command line options --umask|--no-umask, to set 'umask' Introduce "robust" lock-file mechanism New function set_no_clobber() Easyrsa mktemp v2 add_critical_attrib_v2(): Move file access to function Command 'write': Remove options 'overwrite' and 'filename' Introduce option --text: Create CSR files with human readable text will_cert_be_valid(): Remove SSL option -noout easyrsa_mktemp(): Remove secondary atomic operation easyrsa_mkdir(): Separate Windows from *nix Update Copyright 2025 inine_file(): Correct logic and add 'dh none' for DH params file show-expire: Move setting $pre_expire_window_s to status() Always export EASYRSA_SSL_CONF, when assigned (code standard) Unit-test: Drop old *nix test add_critical_attrib(): export temp-file name as input file Inline improvements Unit-test: Minimize Windows test PKI lock-file: Move possible creation to sub-function request_lock_file() forbid_selfsign(): Compare cert serial to signing cert serial inline_file(): Use ssl_cert_serial() Inline self sign improvements peer-fingerprint mode: Make CA mode mutually exclusive to PFP mode Remove init pki soft |
| 2025-02-04 03:02:32 by Greg Troxel | Files touched by this commit (2) |
Log message:
security/easy-rsa: Update to 3.2.2
3.2.2 (2025-02-01)
* Fold easyrsa-tools.lib into easyrsa (56cfa0c) (#1288)
* Revert da3c249: Do not remove index.txt.attr (a236b97) (#1287)
* Windows: Remove mktemp binary and text files (135f642) (#1285)
* op-test.sh: Disable download ossl3 and shellcheck binaries (473c43b) (#1284)
* Forbid self-signed certificate from being expired/renewed/revoked (ab45ae7) \
(#1274)
* Rename global option --ssl-conf (DEPRECATED) to --ssl-cnf (c788423) (#1270)
* bugfix: Save and Restore $EASYRSA_SSL_CONF for compound commands (7cdb14d) \
(#1270)
* bugfix: Always use locate_support_files() after secure_session() (d530bc3) \
(#1270)
* bugfix: easyrsa-tools.lib: renew, write full metadata to temp-file \
(b47d2af) (#1267)
* Introduce new command 'revoke-issued' (38bf2d8) (#1266)
Commands 'revoke' and 'revoke-issued' are identical.
Command 'revoke' can ONLY be used in batch mode.
* vars.example: Remove $EASYRSA_PKI (8ee8dcf) (#1262)
There is no effect on existing 'vars' files.
* easyrsa-tools.lib: Move to 'easyrsa3' directory (d30b688) (#1259)
This now includes 'easyrsa-tools.lib' in the distribution tarballs.
* Upgrade easyrsa-tools.lib to version 322 - As of command 'renew-ca'
* easyrsa-tools.lib: Introduce new command 'renew-ca' (ba32b0d) (#1255)
* easyrsa-tools.lib: show-expire, allow --days to be zero (a1033a5) (#1254)
* Command 'help': Ignore EASYRSA_SILENT (8804d6b) (#1249)
* bugfix: easyrsa-tools.lib: renew SAN, remove excess word 'Address' \
(af17492) (#1251)
* New global variable 'EASYRSA_DISABLE_INLINE' (ad257ab) (#1245)
* bugfix: revoke, renew: Remove pki/inline/private/$file.inline (febef85) (#1244)
Initial bug report #1242 (Minor)
Stop removing old credentials file pki/$file.creds (a871e9c)
* Add LibreSSL version 4 to supported SSL Libraries (7df616b) (#1240)
* sign-req: Allow custom X509 Types (2ee08cc) (#1238)
* Remove redundant file index.txt.attr (da3c249) (#1233)
|
| 2024-09-23 10:17:24 by Adam Ciarcinski | Files touched by this commit (2) | |
Log message: easy-rsa: updated to 3.2.1 3.2.1 * inline: Add decimal value for cert. serial (Linux Only) (b33038e) * Always exit with error for unknown command options (Except nopass) (build-ca: b2f7912); (gen-req: 07f21d3); (build_full(): 0ff7f4c); (export_pkcs(): 2c51288); (set-pass: 1266d4e) * Integrate Easy-RSA TLS-Key for use with 'init-pki soft' (03d9dc2) Note: Inline files that contain private key data are now created in sub-dir 'pki/inline/private'. * easyrsa-tools.lib, show-expire: Add CA certificate to report (a36cd54) * inline: OpenVPN TLS Keys inlining for TLS-AUTH, TLS-CRYPT-V1 (6e9e4a2) Note: Command inline only writes directly to inline file not stdout. * easyrsa-tools.lib: OpenVPN TLS Key gen. TLS-AUTH, TLS-CRYPT-V1 (cf0da16) * easyrsa-tools.lib: expire_status_v2() (show-expire version 2) (1e43bf5) * sign-req: Require 128bit serial number (806ee19) * Move command 'verify-cert' to Tools-lib; drop 'verify' shortcut (ddbf304) * Windows secure_session(): Ensure $secured_session dir is created (d99b242) * Switch to '-f' for file existence (6ab98c9..a02f545) * inline: Move auto-inline from build_full() to sign_req() (823f70f) * gen-crl: Create additional CRL in DER format (69df0d8) * self-sign: Allow Edwards Curve based keys (81b749b) * Re-enable command 'renew' (version 2): Requires EasyRSA Tools (30fe311) * bug-fix: revoke: Pass the correct certificate location (24d5514) * vars.example: Add flags for auto-SAN and X509 critical attribute (a41dfcc) * Global option --eku-crit: Mark X509 extendedKeyUsage as critical (ca09211) * sign-req: Add critical and pathlen details to confirmation (deae705) * export-p12: Automatically generate inline file (9d90370) * Introduce global option --auto-san, use commonName as SAN (5c36d44) * Introduce global option --san-crit, mark SAN critical (dd69f50) * Introduce new global options: --ku-crit and --bc-crit (b79abee) * gen-req: Always check for existing request file (7eab98e) * revoke/revoke-expired/-renewed: Keep duplicate certificate (3da7f66) * revoke-expired/-renewed: Keep req/key files for resigning (4537ae7) * revoke: Add abbreviations for optional 'reason' (a88ccc7) * build-ca: Allow use of --req-cn without batch mode (b77a0fb) * gen-req: Re-enable use of --req-cn (5cf8c46) * write: Change syntax, target as file, not directory |
| 2024-06-08 09:14:37 by Adam Ciarcinski | Files touched by this commit (3) | |
Log message: easy-rsa: updated to 3.2.0 EasyRSA v3.2.0 - Most significant changes New commands: self-sign-server and self-sign-client Create self-signed certificates for use with OpenVPN Peer Fingerprint mode. These certificates comply with other EasyRSA signing policies. expire Selectively move certificates from the issued/ to expired/ directory. This allows a new certificate to be signed from the original signing request file. This allows all custom signing options to be applied as required. This replaces the old command renew, which has been removed. Further details: doc/EasyRSA-Renew-and-Revoke.md write Create legacy support files: openssl-easyrsa.cnf, x509-types/* and vars.example. This allows EasyRSA to be used without having copies of the support files installed. Removed commands: renew Replaced by command expire, followed by command sign-req. This allows all custom options to be used when signing, which renew did not. rebuild and rewind-renew No longer required. upgrade No longer supported. New Global Option: --new-subject -- Command sign-req option: newsubj Edit Request Subject during command sign-req New files: easyrsa-tools.lib Moved code for commands show-expire, show-revoke and show-renew to the new file. easyrsa-tools.lib is auto-loaded, if it is found in a supported location. eg. $pwd |
| 2023-12-05 19:29:16 by Adam Ciarcinski | Files touched by this commit (3) | |
Log message: easy-rsa: updated to 3.1.7 3.1.7 (2023-10-13) Rewrite vars-auto-detect, adhere to EasyRSA-Advanced.md Under the hood, this is a considerable change but there are no user noticable differences. With the exception of: Caveat: The default '$PWD/pki/vars' file is forbidden to change either EASYRSA or EASYRSA_PKI, which are both implied by default. EasyRSA-Advanced.md: Correct vars-auto-detect hierarchy Commit: ecd6506 EASYRSA/vars is moved to a higher priority than a default PKI. vars-auto-detect no longer searches 'easyrsa' program directory. gen-crl: preserve existing crl.pem ownership+mode New command: make-vars - Print vars.example (here-doc) to stdout show-expire: Calculate cert. expire seconds from DB date Update OpenSSL to 3.1.2 |
New packages: