From 7cff994b7092e194d722cf2019dbdb898cc4ed06 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 3 Sep 2024 20:28:08 +0100 Subject: [PATCH 01/14] Windows, easyrsa-shell-init.sh: Add prompts to 'read' before errors Signed-off-by: Richard T Bonhomme --- distro/windows/bin/easyrsa-shell-init.sh | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/distro/windows/bin/easyrsa-shell-init.sh b/distro/windows/bin/easyrsa-shell-init.sh index ee57eebdd..48c993094 100644 --- a/distro/windows/bin/easyrsa-shell-init.sh +++ b/distro/windows/bin/easyrsa-shell-init.sh @@ -6,6 +6,8 @@ # project; use with other POSIX shells for Windows may require modification to # this wrapper script. +echo "Easy-RSA starting.." + setup_path="${EASYRSA:-$PWD}" export PATH="$setup_path;$setup_path/bin;$PATH" export HOME="$setup_path" @@ -24,9 +26,8 @@ for f in $extern_list; do echo " Your installation is incomplete and cannot function without the required" echo " files." echo "" - echo " Press enter to exit." #shellcheck disable=SC2162 - read + read -p "Press Enter or CTRL-C to exit." exit 1 fi done @@ -48,16 +49,13 @@ done # Access denied access_denied() { echo "Access error: $1" - cat << "ACCESS_DENIED_MSG" - + echo "\ To use Easy-RSA in a protected system directory, you must have -full administrator privileges via Windows User Access Control. - -Press Enter or CTRL-C to exit. -ACCESS_DENIED_MSG +full administrator privileges via Windows User Access Control." + echo "" #shellcheck disable=SC2162 - read + read -p "Press Enter or CTRL-C to exit." exit 1 } @@ -130,6 +128,7 @@ fi [ -f "$setup_path/easyrsa" ] || { echo "Missing easyrsa script. Expected to find it at: $setup_path/easyrsa" + read -p "Press Enter or CTRL-C to exit." exit 2 } From bfe7db3c8203952902b0527386c09fd97de91c5d Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 3 Sep 2024 20:30:12 +0100 Subject: [PATCH 02/14] Minor style improvements secure_session(): Use short-circuit and unset variables consistently easyrsa_mktemp(): Minor improvements. Set $EASYRSA_MAX_TEMP to 1, now that subshell abuse has been irradicated. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 46 ++++++++++++++++++++++++++-------------------- 1 file changed, 26 insertions(+), 20 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index d7d0cfa1b..ed53ff63b 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -778,17 +778,16 @@ easyrsa_random() { # Create session directory atomically or fail secure_session() { - # Session is already defined - [ "$secured_session" ] && die "session overload" + # Session must not be defined + [ -z "$secured_session" ] || die "session overload" - # temporary directory must exist - if [ ! -d "$EASYRSA_TEMP_DIR" ]; then - die "secure_session - Missing temporary directory: + # Temporary directory must exist + [ -d "$EASYRSA_TEMP_DIR" ] || die "\ +secure_session - Missing temporary directory: * $EASYRSA_TEMP_DIR" - fi - session= for i in 1 2 3; do + session= easyrsa_random 4 session secured_session="${EASYRSA_TEMP_DIR}/${session}" @@ -807,7 +806,8 @@ secure_session() { die "secure_session - temp-file EXISTS" # New session requires safe-ssl conf - unset -v session OPENSSL_CONF safe_ssl_cnf_tmp \ + unset -v session OPENSSL_CONF \ + EASYRSA_SSL_CONF safe_ssl_cnf_tmp \ working_safe_ssl_conf working_safe_org_conf easyrsa_err_log="$secured_session/error.log" @@ -825,9 +825,9 @@ remove_secure_session() { if rm -rf "$secured_session"; then verbose "\ remove_secure_session: DELETED: $secured_session" - unset -v secured_session \ - safe_ssl_cnf_tmp working_safe_ssl_conf \ - EASYRSA_SSL_CONF OPENSSL_CONF + unset -v secured_session OPENSSL_CONF \ + EASYRSA_SSL_CONF safe_ssl_cnf_tmp \ + working_safe_ssl_conf working_safe_org_conf return fi die "remove_secure_session Failed: $secured_session" @@ -848,7 +848,9 @@ easyrsa_mkdir() { # will hide error message and verbose messages # from easyrsa_mktemp() easyrsa_mktemp() { - [ "$#" = 1 ] || die "easyrsa_mktemp - input error" + if [ -z "$1" ] || [ "$2" ]; then + die "easyrsa_mktemp - input error" + fi # session directory must exist [ -d "$secured_session" ] || die "\ @@ -865,8 +867,8 @@ easyrsa_mktemp - Temporary session undefined (--tmp-dir)" tmp_fname="${secured_session}/temp.${mktemp_counter}" # Create shotfile - for ext_shot in x y z; do - shotfile="${tmp_fname}.${ext_shot}" + for shot_try in x y z; do + shotfile="${tmp_fname}.${shot_try}" if [ -f "$shotfile" ]; then verbose "\ easyrsa_mktemp: shotfile EXISTS: $shotfile" @@ -878,13 +880,16 @@ easyrsa_mktemp: create shotfile failed (1) $1" # Create temp-file or die # subshells do not update mktemp_counter, # which is why this extension is required. - # Current max required is 3 attempts + # Current max required is 1 attempt for ext_try in 1 2 3 4 5 6 7 8 9; do want_tmp_file="${tmp_fname}.${ext_try}" # Warn to error log file for max reached - [ "$EASYRSA_MAX_TEMP" -gt "$ext_try" ] || print "\ -Max temp-file limit $ext_try, hit for: $1" >> "$easyrsa_err_log" + if [ "$EASYRSA_MAX_TEMP" -lt "$ext_try" ]; then + print "\ +Max temp-file limit $ext_try, hit for: $1" > "$easyrsa_err_log" + die "EASYRSA_MAX_TEMP exceeded" + fi if [ -f "$want_tmp_file" ]; then verbose "\ @@ -909,7 +914,8 @@ easyrsa_mktemp: temp-file EXISTS: $want_tmp_file" # Update counter mktemp_counter="$((mktemp_counter+1))" - unset -v shotfile ext_shot \ + unset -v tmp_fname \ + shotfile shot_try \ want_tmp_file ext_try return else @@ -933,7 +939,7 @@ easyrsa_mktemp - force_set_var $1 failed" err_msg="\ easyrsa_mktemp - failed for: $1 @ attempt=$ext_try want_tmp_file: $want_tmp_file" - print "$err_msg" >> "$easyrsa_err_log" + print "$err_msg" > "$easyrsa_err_log" die "$err_msg" } # => easyrsa_mktemp() @@ -4547,7 +4553,7 @@ Algorithm '$EASYRSA_ALGO' is invalid: Must be 'rsa', 'ec' or 'ed'" set_var EASYRSA_KDC_REALM "CHANGEME.EXAMPLE.COM" - set_var EASYRSA_MAX_TEMP 4 + set_var EASYRSA_MAX_TEMP 1 } # => default_vars() # Validate expected values for EASYRSA and EASYRSA_PKI From b2f791218df629d64db6a4e25ec95245fec8f990 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 3 Sep 2024 20:53:08 +0100 Subject: [PATCH 03/14] build-ca: Exit with error for unknown command options Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index ed53ff63b..631cf64ff 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1600,7 +1600,7 @@ build_ca() { raw-ca|raw) EASYRSA_RAW_CA=1 ;; - *) warn "Ignoring unknown command option: '$1'" + *) user_error "Unknown command option: '$1'" esac shift done From 07f21d35f24810868da7aa61b21f5fe23a2d51f3 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 3 Sep 2024 20:59:24 +0100 Subject: [PATCH 04/14] gen-req: Exit with error for unknown command options Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 631cf64ff..f7597141a 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2223,7 +2223,7 @@ Run easyrsa without commands for usage and commands." batch) ssl_batch=1 ;; - *) warn "Ignoring unknown command option: '$1'" + *) user_error "Unknown command option: '$1'" esac shift done From 0ff7f4c9fcec938d14028cce3ef7bf69a86e0524 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 3 Sep 2024 21:11:41 +0100 Subject: [PATCH 05/14] build_full(): Exit with error for unknown command options Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index f7597141a..0da41bdf9 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -2887,7 +2887,7 @@ Run easyrsa without commands for usage and commands." nopass) [ "$prohibit_no_pass" ] || EASYRSA_NO_PASS=1 ;; - *) warn "Ignoring unknown command option: '$1'" + *) user_error "Unknown command option: '$1'" esac shift done From 2c51288474621dfd0803dc29b830e053d9943ef7 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 3 Sep 2024 21:27:30 +0100 Subject: [PATCH 06/14] export_pkcs(): Exit with error for unknown command options Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 0da41bdf9..f5d934478 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -3645,7 +3645,7 @@ Run easyrsa without commands for usage and command help." fi ;; *) - warn "Ignoring unknown option: '$1'" + user_error "Unknown command option: '$1'" esac shift done From 1266d4e8f896ea110fbeb28f76033b186c027b9d Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 3 Sep 2024 21:29:20 +0100 Subject: [PATCH 07/14] set-pass: Exit with error for unknown command options Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index f5d934478..c0938b03b 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -3890,7 +3890,7 @@ Missing argument: no name/file supplied." file) file="$raw_file" ;; - *) warn "Ignoring unknown command option: '$1'" + *) user_error "Unknown command option: '$1'" esac shift done From e2b9561f5cfea6c839af9eb1a449321e16d33d26 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 3 Sep 2024 21:48:45 +0100 Subject: [PATCH 08/14] Output functions: Allow multi-part input Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index c0938b03b..0c779aaba 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -670,7 +670,7 @@ die() { print " Easy-RSA error: -$1${NL}" +$*${NL}" # error_info is for hard-to-spot errors! if [ "$error_info" ]; then @@ -691,7 +691,7 @@ EasyRSA version $EASYRSA_version Error ----- -$1${NL}" +$*${NL}" easyrsa_exit_with_error=1 cleanup @@ -700,7 +700,7 @@ $1${NL}" # verbose information verbose() { [ "$EASYRSA_VERBOSE" ] || return 0 - printf '%s\n' " # $*" + print " # $*" } # => verbose() # non-fatal warning output @@ -709,7 +709,7 @@ warn() { print " WARNING ======= -$1${NL}" +$*${NL}" } # => warn() # informational notices to stdout @@ -718,13 +718,13 @@ notice() { print " Notice ------ -$1${NL}" +$*${NL}" } # => notice() # Helpful information information() { [ "$EASYRSA_SILENT" ] && return - print "$1" + print "$*" } # => information() # intent confirmation helper func From fcd9b6adf25a2e422e5cf367375d15873e9a06db Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 3 Sep 2024 22:02:57 +0100 Subject: [PATCH 09/14] easyrsa_random(): Remove outdated comment Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 3 --- 1 file changed, 3 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 0c779aaba..4a2dc2675 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -751,9 +751,6 @@ Type the word '$value' to continue, or any other input to abort." } # => confirm() # Generate random hex -# Cannot use easyrsa-openssl() due to chicken vs egg, -# easyrsa_openssl() creates temp-files, -# which needs `openssl rand`. easyrsa_random() { case "$1" in *[!1234567890]*|0*|"") From fbcd143413156c717c0d66d1219393dfe9ffe0f6 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 3 Sep 2024 22:16:27 +0100 Subject: [PATCH 10/14] easyrsa_openssl(): Correct comment Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 4a2dc2675..c9acc59df 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1166,7 +1166,7 @@ easyrsa_openssl() { rand) die "easyrsa_openssl: Illegal SSL command: rand" esac - # Use $EASYRSA_SSL_CONF or $global_safe_ssl_cnf_tmp + # Use $EASYRSA_SSL_CONF (local) or $OPENSSL_CONF (global) if [ -f "$EASYRSA_SSL_CONF" ]; then export OPENSSL_CONF="$EASYRSA_SSL_CONF" else From 79cc3f9d3314c686bcc6fb2aa2f66e141ed43773 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Tue, 3 Sep 2024 22:55:10 +0100 Subject: [PATCH 11/14] TLS Keys: Require a CA to be built If Easy-RSA is used by a client only then that client must not generate their own TLS key. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 25 ++++++++++++++++--------- 1 file changed, 16 insertions(+), 9 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index c9acc59df..031c7b6ea 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1457,12 +1457,18 @@ Please delete the key above that is no longer in use." header="# Easy-RSA TLS Key: $(date)${NL}# DO NOT DELETE" printf '%s\n\n%s\n' "$header" "$tls_key_data" \ > "$old_tls_key_file" - tls_msg="\ + tls_msg="${NL} Previous Easy-RSA TLS key saved to: -* $old_tls_key_file" +* $old_tls_key_file${NL}" else - tls_msg="\ -Create a TLS-AUTH|TLS-CRYPT-V1 key now: See 'help gen-tls'" + # if an old TLD key still exists then notify user + if [ -f "$old_tls_key_file" ]; then + tls_msg="${NL} +Existing Easy-RSA TLS key preserved: +* $old_tls_key_file${NL}" + else + tls_msg= + fi fi # write pki/vars.example - no temp-file because no session @@ -1474,8 +1480,6 @@ Create a TLS-AUTH|TLS-CRYPT-V1 key now: See 'help gen-tls'" notice "\ 'init-pki' complete; you may now create a CA or requests. -$tls_msg - Your newly created PKI dir is: * $EASYRSA_PKI" @@ -1484,7 +1488,7 @@ Your newly created PKI dir is: select_vars information "\ Using Easy-RSA configuration: -* ${EASYRSA_VARS_FILE:-undefined}" +* ${EASYRSA_VARS_FILE:-undefined}${tls_msg}" } # => init_pki() # Find support files from various sources @@ -1670,6 +1674,9 @@ Unable to create necessary PKI files (permissions?)" if [ -f "$old_tls_key_file" ]; then cp "$old_tls_key_file" "$tls_key_file" || \ warn "Failed to install TLS Key!" + else + tls_key_msg="${NL} +Create an OpenVPN TLS-AUTH|TLS-CRYPT-V1 key now: See 'help gen-tls'" fi # Set ssl batch mode, as required @@ -1933,7 +1940,7 @@ Prior to signing operations, place your resulting Sub-CA cert at: else notice "\ CA creation complete. Your new CA certificate is at: -* $out_file" +* $out_file${tls_key_msg}" fi } # => build_ca() @@ -5760,7 +5767,7 @@ case "$cmd" in require_pki=1 case "$cmd" in gen-req|gen-dh|build-ca|show-req|export-p*| \ - inline|self-sign-*|write|gen-tls-*) + inline|self-sign-*|write) : ;; # ok *) require_ca=1 esac From 30d4a05012f04b259ca6180c56afc14ea25eea4f Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Wed, 4 Sep 2024 12:55:07 +0100 Subject: [PATCH 12/14] build-ca: Add instructions and confirmation for TLS Key re-use Add detailed instructions for TLS Key re-use. Add confirmation for TLS Key re-use. init-pki soft: Correct TLS Key file hash value. Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 33 ++++++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 031c7b6ea..7f7dfaaaf 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1405,9 +1405,11 @@ and initialize a fresh PKI here." tls_key_hash="$( "$EASYRSA_OPENSSL" dgst -sha256 \ "$tls_key_file")" + tls_key_hash="${tls_key_hash##* }" old_tls_key_hash="$( "$EASYRSA_OPENSSL" dgst -sha256 \ "$old_tls_key_file")" + old_tls_key_hash="${old_tls_key_hash##* }" [ "$tls_key_hash" = "$old_tls_key_hash" ] || \ user_error "\ Easy-RSA TLS Keys do not match, only ONE of these files is valid: @@ -1461,7 +1463,7 @@ Please delete the key above that is no longer in use." Previous Easy-RSA TLS key saved to: * $old_tls_key_file${NL}" else - # if an old TLD key still exists then notify user + # if an OLD TLS key still exists then notify user if [ -f "$old_tls_key_file" ]; then tls_msg="${NL} Existing Easy-RSA TLS key preserved: @@ -1669,11 +1671,34 @@ Unable to create necessary PKI files (permissions?)" unset -v err_msg # If one exists then recreate TLS Key - tls_key_file="$EASYRSA_PKI/private/easyrsa-tls.key" + tls_key_file="$EASYRSA_PKI"/private/easyrsa-tls.key old_tls_key_file="$EASYRSA_PKI"/easyrsa-keepsafe-tls.key if [ -f "$old_tls_key_file" ]; then + confirm "Re-install existing Easy-RSA TLS Key ? " yes " +An Easy-RSA TLS Key, saved by 'init-pki soft', has been found. +This TLS Key is in use by your VPN, it is recommended that you +re-install this TLS Key. + +Note: +This is a private key and will NOT be added to new inline files. + +To create a new Easy-RSA TLS Key, delete this old TLS Key above." cp "$old_tls_key_file" "$tls_key_file" || \ warn "Failed to install TLS Key!" + tls_key_msg="${NL} +NOTICE: The previous Easy-RSA TLS Key has been installed: +* $tls_key_file + +This TLS Key will NOT be added to new inline files. These new +inline files can then be easily distributed to your servers and +clients. The TLS Key that your servers and clients have previously +received, can be added to the inline file manually. + +To re-enable automatically adding this TLS Key to inline files, +simply delete the backup TLS Key at: +* $old_tls_key_file + +To create a new Easy-RSA TLS Key, delete both TLS Keys above." else tls_key_msg="${NL} Create an OpenVPN TLS-AUTH|TLS-CRYPT-V1 key now: See 'help gen-tls'" @@ -1940,7 +1965,9 @@ Prior to signing operations, place your resulting Sub-CA cert at: else notice "\ CA creation complete. Your new CA certificate is at: -* $out_file${tls_key_msg}" +* $out_file${tls_key_msg} + +Build-ca completed successfully." fi } # => build_ca() From 8f25ae62a45dde19defdf4ca2b73c19e22b94047 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 5 Sep 2024 11:24:08 +0100 Subject: [PATCH 13/14] Minor style change: $ssl_batch and $text assignment and usage Signed-off-by: Richard T Bonhomme --- easyrsa3/easyrsa | 21 +++++++-------------- 1 file changed, 7 insertions(+), 14 deletions(-) diff --git a/easyrsa3/easyrsa b/easyrsa3/easyrsa index 7f7dfaaaf..45a5fbd1c 100755 --- a/easyrsa3/easyrsa +++ b/easyrsa3/easyrsa @@ -1589,8 +1589,8 @@ get_passphrase() { # build-ca backend: build_ca() { cipher="-aes256" - unset -v sub_ca ssl_batch date_stamp x509 error_info \ - ca_password_via_cmdline + unset -v sub_ca date_stamp x509 error_info \ + ca_password_via_cmdline while [ "$1" ]; do case "$1" in @@ -1600,7 +1600,7 @@ build_ca() { nopass) [ "$prohibit_no_pass" ] || EASYRSA_NO_PASS=1 ;; - raw-ca|raw) + raw*) EASYRSA_RAW_CA=1 ;; *) user_error "Unknown command option: '$1'" @@ -1705,9 +1705,7 @@ Create an OpenVPN TLS-AUTH|TLS-CRYPT-V1 key now: See 'help gen-tls'" fi # Set ssl batch mode, as required - if [ "$EASYRSA_BATCH" ]; then - ssl_batch=1 - fi + [ "$EASYRSA_BATCH" ] && ssl_batch=1 # Default CA commonName if [ "$EASYRSA_REQ_CN" = ChangeMe ]; then @@ -2221,13 +2219,8 @@ Run easyrsa without commands for usage and commands." file_name_base="$1" shift # scrape off file-name-base - # Initialisation - unset -v text ssl_batch - # Set ssl batch mode as required - if [ "$EASYRSA_BATCH" ]; then - ssl_batch=1 - fi + [ "$EASYRSA_BATCH" ] && ssl_batch=1 # Set commonName if [ "$EASYRSA_REQ_CN" = ChangeMe ]; then @@ -5520,10 +5513,10 @@ detect_host # Initialisation requirements unset -v \ OPENSSL_CONF \ - verify_ssl_lib_ok \ + verify_ssl_lib_ok ssl_batch \ secured_session mktemp_counter \ working_safe_ssl_conf working_safe_org_conf \ - alias_days \ + alias_days text \ prohibit_no_pass \ invalid_vars \ local_request error_build_full_cleanup \ From a87a46a2a9538af338ed1d81c4278f1493a410d6 Mon Sep 17 00:00:00 2001 From: Richard T Bonhomme Date: Thu, 5 Sep 2024 11:32:39 +0100 Subject: [PATCH 14/14] ChageLog: Always exit with error for unknown command options (Except nopass) Signed-off-by: Richard T Bonhomme --- ChangeLog | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ChangeLog b/ChangeLog index 247692c46..6ecd03693 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,9 @@ Easy-RSA 3 ChangeLog 3.2.1 (TBD) + * Always exit with error for unknown command options (Except nopass) (#1221) + (build-ca: b2f7912); (gen-req: 07f21d3); (build_full(): 0ff7f4c); + (export_pkcs(): 2c51288); (set-pass: 1266d4e) * Integrate Easy-RSA TLS-Key for use with 'init-pki soft' (03d9dc2) (#1220) Note: Inline files that contain private key data are now created in sub-dir 'pki/inline/private'.