easy-rsa

easy-rsa copied to clipboard

default_server_san() mistakes a commonName for an IP address when the CN "looks like" an IP address.

Example:

Input:

easyrsa build-server-full 1.2.3.4 nopass

Result:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            d9:d8:be:0c:af:9b:f4:a9:5d:d9:a5:0e:f4:34:e8:26
        Signature Algorithm: sha256WithRSAEncryption
        Issuer:
            commonName                = Easy-RSA CA
        Validity
            Not Before: May 19 12:20:30 2022 GMT
            Not After : Aug 21 12:20:30 2024 GMT
        Subject:
            commonName                = 1.2.3.4
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Subject Key Identifier: 
                C8:13:5F:EE:4E:CA:D9:B0:E9:95:04:EB:B4:85:1A:F0:00:D3:49:B9
            X509v3 Authority Key Identifier: 
                keyid:BA:01:7C:64:54:ED:DC:4A:1F:51:E4:07:30:C5:C8:D4:A1:D6:4F:E6
                DirName:/CN=Easy-RSA CA
                serial:6F:7D:19:CD:52:3D:3D:DF:F9:8D:49:5C:7A:50:77:AA:6B:50:8D:19

            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Key Usage: 
                Digital Signature, Key Encipherment
            X509v3 Subject Alternative Name: 
                IP Address:1.2.3.4

Technically, 1.2.3.4 is the commonName, not an IP address.

Additionally, default_server_san() does not support IPv6.

It appears to me that this idea of "automatically" selecting a SAN to be an IP is flawed. It is meant as a "shortcut".

Is there any reason to keep it this way ?

Who would like to write a reliable version for IPv6 ?

FTR: My intention is to rip it out. I'll deprecate it first.

Unless there is some valid reason to keep it. That reason would also have to include IPv6.

Example:

• I wish to build a server certificate with the commonName of 555.555.555.555..

$ easyrsa build-server-full 555.555.555.555 nopass
* Using SSL: openssl OpenSSL 1.1.1f  31 Mar 2020

* Using Easy-RSA configuration: /home/tct/git/easy-rsa/test/installed/test/vars

* The preferred location for 'vars' is within the PKI folder.
  To silence this message move your 'vars' file to your PKI
  or declare your 'vars' file with option: --vars=<FILE>

* Using x509-types directory: /usr/local/share/easy-rsa/x509-types

Generating a RSA private key
........................................................+++++
...............+++++
writing new private key to '/home/tct/git/easy-rsa/test/installed/test/pki/c5f79a8f/temp.5752c1a1'
-----

Notice
------
Keypair and certificate request completed. Your files are:
req: /home/tct/git/easy-rsa/test/installed/test/pki/reqs/555.555.555.555.req
key: /home/tct/git/easy-rsa/test/installed/test/pki/private/555.555.555.555.key

Using configuration from /home/tct/git/easy-rsa/test/installed/test/pki/c5f79a8f/temp.f5cb6d9b
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName            :ASN.1 12:'555.555.555.555'
ERROR: adding extensions in section default
139814683428160:error:220A4076:X509 V3 routines:a2i_GENERAL_NAME:bad ip address:../crypto/x509v3/v3_alt.c:477:value=555.555.555.555
139814683428160:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=subjectAltName, value=IP:555.555.555.555

Easy-RSA error:

signing failed (openssl output above may have more detail)

EasyRSA Version Information
Version:     ~VER~
Generated:   ~DATE~
SSL Lib:     OpenSSL 1.1.1f  31 Mar 2020
Git Commit:  ~GITHEAD~
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: dev | nix | Linux | /bin/bash | OpenSSL 1.1.1f  31 Mar 2020

Easy-RSA error:

Failed to sign '555.555.555.555' - See error messages above for details.

EasyRSA Version Information
Version:     ~VER~
Generated:   ~DATE~
SSL Lib:     OpenSSL 1.1.1f  31 Mar 2020
Git Commit:  ~GITHEAD~
Source Repo: https://github.com/OpenVPN/easy-rsa
Host: dev | nix | Linux | /bin/bash | OpenSSL 1.1.1f  31 Mar 2020

Edit: un-Officially deprecated, as of this post.

I see no complaints.

This has to go.

A simple work-around:

easyrsa --nopass --san=DNS:555.1.1.1 build-server-full 555.1.1.1

Work-around above will do.

This still bugs me.

Another example:

• build-server-full 001.002.003.004

Result:

    Subject:
        commonName                = 001.002.003.004

   X509v3 Subject Alternative Name: 
            IP Address:1.2.3.4

The basic fact is this:

• EasyRSA should NOT assume that a server with commonName equal to 1.2.3.4 should have a subject alternative name equal to IP:1.2.3.4.

EasyRSA should behave as instructed by command line options.

Related: #1086

Following from #1088

I believe that Easy-RSA offers suitable methods to configure SAN as required and that the automatic creation of an ipv4-address SAN is obsolete.

The resolution here is to remove the appallingly bad effort to create automatic SAN for IP v4(only) addresses.

The only automatic SAN that is available to Easy-RSA is the standard server commonName, therefore, no alternate name is required, unless defined by the user.

Moving forward, version 3.2 will remove auto-SAN. Default commonName SAN may linger, temporarily .. EASYRSA_EXTRA_EXTS can remain as an undefined anomaly.

Follow-up: #1091

Closed via 0b85a5d