Updated "easy-rsa" for OpenSSL 1.0.0

This patch fixes remaining issues with Trac ticket #125. It does the following:

- Update easy-rsa/2.0/README
- Rename easy-rsa/2.0/openssl.cnf as openssl-0.9.8.cnf
- Add easy-rsa/2.0/openssl-1.0.0.cnf
- Updated vars.bat.sample to use openssl-1.0.0.cnf
- Updated win/openvpn.nsi to use openssl-1.0.0.cnf
- Add a few undefined variables to vars and vars.bat.sample:
  required by OpenSSL 1.0.0 (at least on Windows)

Signed-off-by: Samuli Seppänen <samuli@openvpn.net>
Tested-by: Samuli Seppänen <samuli@openvpn.net>
Acked-by: David Sommerseth <davids@redhat.com>
Signed-off-by: David Sommerseth <davids@redhat.com>

easy-rsa/2.0/README

@@ -74,8 +74,8 @@ Release Notes for easy-rsa-2.0
 INSTALL easy-rsa
 
 1. Edit vars.
-2. Set KEY_CONFIG to point to the openssl.cnf file
-   included in this distribution.
+2. Set KEY_CONFIG to point to the correct openssl-<version>.cnf
+   file included in this distribution.
 3. Set KEY_DIR to point to a directory which will
    contain all keys, certificates, etc.  This
    directory need not exist, and if it does,

easy-rsa/2.0/openssl-1.0.0.cnf

@@ -1,9 +1,4 @@
-# For use with easy-rsa version 2.0
-
-#
-# OpenSSL example configuration file.
-# This is mostly being used for generation of certificate requests.
-#
+# For use with easy-rsa version 2.0 and OpenSSL 1.0.0*
 
 # This definition stops the following lines choking if HOME isn't
 # defined.
@@ -15,12 +10,12 @@ openssl_conf		= openssl_init
 # Extra OBJECT IDENTIFIER info:
 #oid_file		= $ENV::HOME/.oid
 oid_section		= new_oids
-engines                 = engine_section
+engines			= engine_section
 
 # To use this configuration file with the "-extfile" option of the
 # "openssl x509" utility, name here the section containing the
 # X.509v3 extensions to use:
-# extensions		= 
+# extensions		=
 # (Alternatively, use a configuration file that has only
 # X.509v3 extensions in its main [= default] section.)
 
@@ -48,7 +43,7 @@ new_certs_dir	= $dir			# default place for new certs.
 certificate	= $dir/ca.crt	 	# The CA certificate
 serial		= $dir/serial 		# The current serial number
 crl		= $dir/crl.pem 		# The current CRL
-private_key	= $dir/ca.key	 	# The private key
+private_key	= $dir/ca.key		# The private key
 RANDFILE	= $dir/.rand		# private random number file
 
 x509_extensions	= usr_cert		# The extentions to add to the cert
@@ -59,7 +54,7 @@ x509_extensions	= usr_cert		# The extentions to add to the cert
 
 default_days	= 3650			# how long to certify for
 default_crl_days= 30			# how long before next CRL
-default_md	= md5			# which md to use.
+default_md	= md5			# use public key default MD
 preserve	= no			# keep passed DN ordering
 
 # A few difference way of specifying how similar the request should look
@@ -102,14 +97,12 @@ x509_extensions	= v3_ca	# The extentions to add to the self signed cert
 # input_password = secret
 # output_password = secret
 
-# This sets a mask for permitted string types. There are several options. 
+# This sets a mask for permitted string types. There are several options.
 # default: PrintableString, T61String, BMPString.
-# pkix	 : PrintableString, BMPString.
-# utf8only: only UTF8Strings.
+# pkix	 : PrintableString, BMPString (PKIX recommendation after 2004).
+# utf8only: only UTF8Strings (PKIX recommendation after 2004).
 # nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
 # MASK:XXXX a literal mask value.
-# WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
-# so use this option with caution!
 string_mask = nombstr
 
 # req_extensions = v3_req # The extensions to add to a certificate request
@@ -151,6 +144,7 @@ organizationalUnitName_default = $ENV::KEY_OU
 commonName_default = $ENV::KEY_CN
 name_default = $ENV::KEY_NAME
 
+
 # SET-ex3			= SET extension number 3
 
 [ req_attributes ]
@@ -196,6 +190,7 @@ authorityKeyIdentifier=keyid,issuer:always
 extendedKeyUsage=clientAuth
 keyUsage = digitalSignature
 
+
 # This stuff is for subjectAltName and issuerAltname.
 # Import the email address.
 # subjectAltName=email:copy
@@ -214,8 +209,8 @@ keyUsage = digitalSignature
 
 # JY ADDED -- Make a cert with nsCertType set to "server"
 basicConstraints=CA:FALSE
-nsCertType			= server
-nsComment			= "Easy-RSA Generated Server Certificate"
+nsCertType                     = server
+nsComment                      = "Easy-RSA Generated Server Certificate"
 subjectKeyIdentifier=hash
 authorityKeyIdentifier=keyid,issuer:always
 extendedKeyUsage=serverAuth
@@ -288,4 +283,3 @@ dynamic_path = /usr/lib/engines/engine_pkcs11.so
 MODULE_PATH = $ENV::PKCS11_MODULE_PATH
 PIN = $ENV::PKCS11_PIN
 init = 0
-

easy-rsa/2.0/vars

@@ -66,3 +66,9 @@ export KEY_PROVINCE="CA"
 export KEY_CITY="SanFrancisco"
 export KEY_ORG="Fort-Funston"
 export KEY_EMAIL="me@myhost.mydomain"
+export KEY_EMAIL=mail@host.domain
+export KEY_CN=changeme
+export KEY_NAME=changeme
+export KEY_OU=changeme
+export PKCS11_MODULE_PATH=changeme
+export PKCS11_PIN=1234

easy-rsa/Windows/vars.bat.sample

@@ -4,7 +4,7 @@ rem the openssl.cnf file included
 rem with easy-rsa.
 
 set HOME=%ProgramFiles%\OpenVPN\easy-rsa
-set KEY_CONFIG=openssl.cnf
+set KEY_CONFIG=openssl-1.0.0.cnf
 
 rem Edit this variable to point to
 rem your soon-to-be-created key
@@ -33,3 +33,8 @@ set KEY_PROVINCE=CA
 set KEY_CITY=SanFrancisco
 set KEY_ORG=OpenVPN
 set KEY_EMAIL=mail@host.domain
+set KEY_CN=changeme
+set KEY_NAME=changeme
+set KEY_OU=changeme
+set PKCS11_MODULE_PATH=changeme
+set PKCS11_PIN=1234

win/openvpn.nsi

@@ -274,7 +274,7 @@ Section "${PRODUCT_NAME} RSA Certificate Management Scripts" SecOpenVPNEasyRSA
 
   # Original nsi script looked for ${EASYRSA}\2.0\openssl.cnf.sample. A newer
   # openssl.cnf is needed on OpenVPN 2.2+.
-  File "${EASYRSA}\Windows\openssl.cnf"
+  File "${EASYRSA}\2.0\openssl-1.0.0.cnf"
 
   File "${EASYRSA}\Windows\vars.bat.sample"