chore(deps): update dependency openvpn/easy-rsa to v3.2.0 (release/2.6)

[openvpn-inc-ci]

This PR contains the following updates:

Package	Update	Change
OpenVPN/easy-rsa	minor	3.1.7 -> 3.2.0

---

Release Notes

OpenVPN/easy-rsa (OpenVPN/easy-rsa)

v3.2.0: 3.2.0

Compare Source

NOTICE: EasyRSA version 3.2.0 should be considered as a development snapshot.

EasyRSA v3.2.0 - Most significant changes

New commands:

• self-sign-server and self-sign-client (#​1127) Create self-signed certificates for use with OpenVPN Peer Fingerprint mode. These certificates comply with other EasyRSA signing policies.

• expire (#​1109) Selectively move certificates from the issued/ to expired/ directory. This allows a new certificate to be signed from the original signing request file. This allows all custom signing options to be applied as required. This replaces the old command renew, which has been removed. Further details: doc/EasyRSA-Renew-and-Revoke.md

• write (Commit: c814e0a) Create legacy support files: openssl-easyrsa.cnf, x509-types/* and vars.example. This allows EasyRSA to be used without having copies of the support files installed.

Removed commands:

• renew (#​1109) Replaced by command expire, followed by command sign-req. This allows all custom options to be used when signing, which renew did not.

• rebuild (Commit: d6953cc) and rewind-renew (Commit: 72b4079) No longer required.

• upgrade (Commit: 6a88edd) No longer supported.

New Global Option:

• --new-subject -- Command sign-req option: newsubj (#​1111) Edit Request Subject during command sign-req

New files:

• easyrsa-tools.lib (Commit: 214b909) Moved code for commands show-expire, show-revoke and show-renew to the new file. easyrsa-tools.lib is auto-loaded, if it is found in a supported location. eg. $pwd

---

• Revert ca76697: Restore escape_hazard() (b1e9d7a) (#​1137)
• New X509 Type: 'selfsign' Internal only (999533e) (#​1135)
• New commands: self-sign-server and self-sign-client (9f8a1d1) (#​1127)
• build-ca: Command 'req', remove SSL option '-keyout' (4e02c8a) (#​1123)
• Remove escape_hazard(), obsolete (ca76697)
• Remove command and function display_cn(), unused (be8f400) (#​1114)
• Introduce Options to edit Request Subject during command 'sign-req' Global Option: --new-subject -- Command 'sign-req' option: 'newsubj' First proposed in: (#​439) -- Completed: (83b81c7) (#​1111)
• docs: Update EasyRSA-Renew-and-Revoke.md (f6c2bf5) (#​1109)
• Remove all 'renew' code; replaced by 'expire' code (9d94207) (#​1109)
• Introduce commands: 'expire' and 'revoke-expired' (a1890fa) (#​1109)
• Keep request files [CSR] when revoking certificates (6d6e8d8) (#​1109)
• Restrict use of --req-cn to build-ca (0a46164) (#​1098)
• Remove command 'display-san' (Code removed in 5a06f94) (50e6002) (#​1096)
• help: Add 'copyext'; How to use --copy-ext and --san (5a06f94) (#​1096)
• Allow --san to be used multiple times (5a06f94) (#​1096)
• Remove default server subject alternative name (0b85a5d) (#​576)
• Move Status Reports to 'easyrsa-tools.lib' (214b909) (#​1080)
• export-p12, OpenSSL v1.x: Upgrade PBE and MAC options (60a508a) (#​1084 - Based on #​1081)
• Windows: Introduce 'Non-Admin' mode (c2823c4) (#​1073)
• LibreSSL: Add fix for missing 'x509' option '-ext' (96dd959) (#​1068)
• Variable heredoc expansion for SSL/Safe Config file (9c5d423) (#​1064)

Branch-merge: v3.2.0-beta2 (#​1055) 2024/01/13 Commit: d51d79b

• Always use here-doc version of openssl-easyrsa.cnf (2a8c0de) Only use here-doc if the current version is recognised by sha256 hash. The current file is NEVER deleted (60216d5). Partially revert: 2a8c0de
• export-p12: New command option 'legacy'. OpenSSL V3 Only (f8514de) Fallback to encryption algorithm RC2_CBC or 3DES_CBC
• export-p12: Always set 'friendlyName' to file-name-base (da9e594)
• Update OpenSSL to 3.2.0 (03e4829)

Branch-merge: v3.2.0-beta1 (#​1046) 2023/12/15 Commit: 7120876

• Important note: As of Easy-RSA version 3.2.0-beta1, the configuration files vars.example, openssl-eayrsa.cnf and all files in x509-types directory are no longer required. Package maintainers can omit these files in the future. All files are created as required and deleted upon command completion. vars.example is created during init-pki and placed in the fresh PKI. These files will be retained for downstream packaging compatibility.

• Rename X509-type file code-signing to codeSigning (1c6b31a) The original file will be retained as code-signing, however, the automatic X509-types creation will name the file codeSigning. This effectively means that both are valid X509-types, until code-signing is dropped.

• init-pki: Always write vars.example file to fresh PKI (66a8f3e)

• New command 'write': Write 'legacy' files to stdout or files (c814e0a)

• Remove command 'make-safe-ssl': Replaced by command 'write safe-cnf' (c814e0a)

• New Command 'rand': Expose easyrsa_random() to the command line (6131cbf)

• Remove function 'set_pass_legacy()' (7470c2a)

• Remove command 'rewind-renew' (72b4079)

• Remove command 'rebuild' (d6953cc)

• Remove command 'upgrade' (6a88edd)

Branch-merge: v3.2.0-alpha2 (#​1043) 2023/12/7 Commit: ed0dc46

• Remove EASYRSA_NO_VARS; Allow graceful use without a vars file (3c0ca17)

Branch-merge: v3.2.0-alpha1 (#​1041) 2023/12/2 Commit: 42c2e95

• New diagnostic command 'display-cn' (#​1040)
• Expand renewable certificate types to include code-signing (#​1039)

What's Changed

• Command: x509-eku v2 by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1039
• v3.2.0-alpha1 by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1041
• Remove unwanted code - Minor improvements by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1036
• escape_hazarrd(): Reuse source_vars() by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1037
• v3.2.0-alpha2 by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1043
• v3.2.0-Remove-commands by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1045
• v3.2.0-beta1 by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1046
• export-p12: New command option 'legacy' by @​spacefreak86 in https://github.com/OpenVPN/easy-rsa/pull/1057
• v3.2.0-beta2 by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1055
• Replace use of sed with heredoc expansion by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1064
• Restore 128bit-random certificate serial-number by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1070
• LibreSSL: Add band-aid fix for missing 'x509' command option '-ext' by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1071
• Windows: Introduce 'Non-Admin' mode by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1073
• export-p12, OpenSSL v1.x: Upgrade PBE and MAC options by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1084
• Completely remove status reports and date functions by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1080
• sign-req: Remove default server 'subject alternative name' SAN by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1091
• Separate SAN from DN - Refactor display_dn() by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1096
• Restrict use of --req-cn to build-ca by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1098
• New function easyrsa_mkdir_p(): Replace use of 'mkdir -p' by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1101
• Shellcheck directives and minor tweak by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1105
• easyrsa_mkdir_p(): Ignore 'mkdir.exe' error code in favor of 'test' by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1106
• Revoke keep request by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1109
• Add an option to change the subject when signing a request. V2 by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1111
• Remove command and function display_cn(), unused by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1114
• Remove escape_hazard() by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1115
• build-ca: Command 'req', remove SSL option '-keyout' by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1123
• Improve ssl_cert_x509v3_eku() by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1125
• Remove variable 'makesafeconf' as obsolete by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1126
• Introduce commands: self-sign-server and self-sign-client by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1127
• Command inline: Support self-signed certificate called from cmd-line by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1128
• self-sign: Improve default algorithm and curve selection by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1134
• self-sign: Adjust 'X509v3 Key Usage' by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1135
• Revert ca76697: Remove escape_hazard() by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1137
• LibreSSL: Ignore and discard missing config file warning by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1138
• Minor corrections and improvements by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1140
• sign-req: Improve confirmation details by @​TinCanTech in https://github.com/OpenVPN/easy-rsa/pull/1141

New Contributors

• @​spacefreak86 made their first contribution in https://github.com/OpenVPN/easy-rsa/pull/1057

Full Changelog: https://github.com/OpenVPN/easy-rsa/compare/v3.1.7...v3.2.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.