From 4bb12c4b10d7da363b62c6636885798de6761383 Mon Sep 17 00:00:00 2001 From: omgagg Date: Sun, 5 Feb 2023 15:30:53 +0300 Subject: [PATCH 1/4] Fix PKCS#12 file creation (#14558) --- roles/strongswan/tasks/openssl.yml | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/roles/strongswan/tasks/openssl.yml b/roles/strongswan/tasks/openssl.yml index f51ac9dd0..421f512a5 100644 --- a/roles/strongswan/tasks/openssl.yml +++ b/roles/strongswan/tasks/openssl.yml @@ -155,10 +155,19 @@ format: OpenSSH with_items: "{{ users }}" + - name: Gather the package facts + ansible.builtin.package_facts: + manager: auto + + - name: Get OpenSSL version + set_fact: + openssl_version: "{{ ansible_facts.packages['openssl'][0]['version'] }}" + - name: Build the client's p12 shell: > umask 077; {{ openssl_bin }} pkcs12 + {{ (openssl_version is version('3', '>=')) | ternary('-legacy', '') }} -in certs/{{ item }}.crt -inkey private/{{ item }}.key -export @@ -175,6 +184,7 @@ shell: > umask 077; {{ openssl_bin }} pkcs12 + {{ (openssl_version is version('3', '>=')) | ternary('-legacy', '') }} -in certs/{{ item }}.crt -inkey private/{{ item }}.key -export From 8fb897d68005f28595f4788c7f1e0c11ebd57d7d Mon Sep 17 00:00:00 2001 From: omgagg Date: Sun, 5 Feb 2023 15:32:21 +0300 Subject: [PATCH 2/4] Fix reference to config dir of installed server --- users.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/users.yml b/users.yml index e9e8c0868..02321ad40 100644 --- a/users.yml +++ b/users.yml @@ -26,7 +26,7 @@ server_list: >- [{% for i in _configs_list.files %} {% set config = lookup('file', i.path)|from_yaml %} - '{{ config.server }}' + '{{ config.IP_subject_alt_name }}' {{ ',' if not loop.last else '' }} {% endfor %}] From 5394f0623c2179f89dfdc1127afce79be5497c5d Mon Sep 17 00:00:00 2001 From: Ken Craig Date: Tue, 4 Jul 2023 13:32:12 -0400 Subject: [PATCH 3/4] Fixed issue with getting openssl version from existing fact, get it with shell script instead. This may not work in Windows (trailofbits#14558) --- roles/strongswan/tasks/openssl.yml | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/roles/strongswan/tasks/openssl.yml b/roles/strongswan/tasks/openssl.yml index 421f512a5..83a331fe9 100644 --- a/roles/strongswan/tasks/openssl.yml +++ b/roles/strongswan/tasks/openssl.yml @@ -160,8 +160,13 @@ manager: auto - name: Get OpenSSL version + shell: openssl version | cut -f 2 -d ' ' + register: ssl_version + run_once: true + + - name: Set OpenSSL version fact set_fact: - openssl_version: "{{ ansible_facts.packages['openssl'][0]['version'] }}" + openssl_version: "{{ ssl_version.stdout }}" - name: Build the client's p12 shell: > From 43212128ae6ab58c963f277c7d308f510ddfe201 Mon Sep 17 00:00:00 2001 From: Ken Craig Date: Tue, 4 Jul 2023 14:07:48 -0400 Subject: [PATCH 4/4] Consistent with other shell executions, fix to use {{openssl_bin}} and pipefile option in the shell command for getting openssl version number (trailofbits#14558) --- roles/strongswan/tasks/openssl.yml | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/strongswan/tasks/openssl.yml b/roles/strongswan/tasks/openssl.yml index 83a331fe9..1ffed904b 100644 --- a/roles/strongswan/tasks/openssl.yml +++ b/roles/strongswan/tasks/openssl.yml @@ -160,7 +160,10 @@ manager: auto - name: Get OpenSSL version - shell: openssl version | cut -f 2 -d ' ' + shell: | + set -o pipefail + {{ openssl_bin }} version | + cut -f 2 -d ' ' register: ssl_version run_once: true