easyrsa-tools.lib: renew: Provide support for OpenSSL 1.1.0

Required: OpenVPN/easyrsa-unit-tests@c4d2fe4 Signed-off-by: Richard T Bonhomme <[email protected]>
OpenVPN · Oct 22, 2024 · 65737c6 · 65737c6
1 parent 2edfb4e
commit 65737c6
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 3 deletions.
diff --git a/dev/easyrsa-tools.lib b/dev/easyrsa-tools.lib
@@ -767,7 +767,14 @@ Cannot renew this certificate, a conflicting file exists:
 			die "Failed to create inline directoy."
 
 	# Extract certificate usage from old cert
-	ssl_cert_x509v3_eku "$crt_in" cert_type
+	if ! ssl_cert_x509v3_eku "$crt_in" cert_type; then
+		# On failure, try using openssl 1.1.0
+		cert_type=
+		openssl_v110=1
+		ssl_cert_x509v3_eku "$crt_in" cert_type || \
+			die "renew - ssl_cert_x509v3_eku openssl_v110 failed"
+		openssl_v110=
+	fi
 
 	# Use SAN from old cert ONLY
 	if grep 'X509v3 Subject Alternative Name' "$crt_in"; then

diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa
@@ -1217,7 +1217,7 @@ verify_ssl_lib() {
 	# Run once only
 	[ "$verify_ssl_lib_ok" ] && return
 	verify_ssl_lib_ok=1
-	unset -v openssl_v3
+	unset -v openssl_v3 openssl_v110
 
 	# redirect std-err, ignore missing ssl/openssl.cnf
 	val="$(
@@ -4145,7 +4145,7 @@ ssl_cert_x509v3_eku() {
 	unset -v __known
 
 	# Extract certificate Extended Key Usage
-	if [ "$ssl_lib" = libressl ]; then
+	if [ "$ssl_lib" = libressl ] || [ "$openssl_v110" ]; then
 		__eku="$(
 			"$EASYRSA_OPENSSL" x509 -in "${__crt}" -noout -text | \
 				sed -n "/${__pattern}/{n;s/^ *//g;p;}"