Fix PKCS#12 mobileconfig installation errors when using openssl version > 3 (trailofbits#14558)

[ExtremeModerate]

Check the openssl version and add -legacy flag for newer versions when working with pkcs#12 files. Original fix by https://github.com/omgagg/algo/tree/custom was updated to use a shell script to get the version. This fixes #14558

Description

In roles/strongswan/tasks/openssl.yml, get the version of openssl, set as a fact. In subsequent openssl tasks related to the pkcs#12 certs, if the version > 3, then add the -legacy flag, as described in [https://www.openssl.org/docs/man3.0/man1/openssl-pkcs12.html](the OpenSSL documentation).

Motivation and Context

Per #14558, with newer versions of OpenSSL, the mobileconfig files created could not be installed on MacOS or iOS devices (untested on Android or Windows), with the process faling with an authentication error. By addeing the -legacy flag to the OpenSSL commands, the certs can be installed.

How Has This Been Tested?

Changes have only been manually tested when running algo in a docker instance, and only when building to EC2 targets.
Due to a lack of resources, I can't easily test in other situations.

• build the docker image with docker build . -name custom/algo:latest
• remove any existing algo instance/stack in the ec2 region
• use the unmodified example config.cfg file
• deploy per the documentation in docs/deploy-from-docker.md
• add the ipsec/apple/laptop.mobileconfig file to MacOS (double-click)
• install the profile via system preferences
• verify ability to connect to the vpn server
• send the ipsec/apple/iphone.mobileconfig file to iPhone
• install the profile via system preferences
• verify ability to connect to the vpn server
• send the ipsec/apple/desktop.mobileconfig file to iPad
• install the profile via system preferences
• verify ability to connect to the vpn server

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

• I have read the CONTRIBUTING document.
• My code follows the code style of this project.
• [] My change requires a change to the documentation.
• [] I have updated the documentation accordingly.
• [] I have added tests to cover my changes.
• [] All new and existing tests passed. ** I honestly don't know how to run the existing tests **

[CLAassistant]

All committers have signed the CLA.

[rdreher]

there are some unnecessary changes made to roles/strongswan/tasks/openssl.yml. Lines 158 to 160 will break the install process with a a package can't installed error. Removing those solve both issues, with install and the original with the profile install

[XxMicrowavexX]

The changes don't work for me

[rafaelsms]

When running cloud-init (Ubuntu 22.04 LTS x64 on Vultr), I got an error because set -o pipefail fails on /bin/sh

Fixed by specifying which shell to run:

  # (...)
  shell: |
        set -o pipefail
        {{ openssl_bin }} version |
        cut -f 2 -d ' '
  args:
    executable: bash
  # (...)

With this change, everything is working for me :)
Thanks everyone (for fixing this issue and keeping this very nice project). Happy new year for all!