Date: Mon, 07 Aug 2017 13:32:21 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 221310] security/libressl migration inconsistency from openssl - removal of ENV functionality Message-ID: <bug-221310-13@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D221310 Bug ID: 221310 Summary: security/libressl migration inconsistency from openssl - removal of ENV functionality Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: brnrd@freebsd.org Reporter: dewayne@heuristicsystems.com.au Assignee: brnrd@freebsd.org Flags: maintainer-feedback?(brnrd@freebsd.org) The mechanism to pass environment variables such as COMMONNAME and SUBJECTALTNAME to openssl is via the ENV call in openssl.cnf. We instruct openssl to use an openssl.cnf file specially crafted for PKI purposes, via the openssl command -config. For example:=20 openssl ca -config $ext_file ... Unfortunately libressl has removed the ENV passing functionality, breaking = our PKI system and I'm sure many others (eg OpenVPN's easy_rsa). As a kludge, we're working around this issue with a really stupid approach below, though suggestions are welcome. This approach, I think, really defe= ats the purpose and intent of removing the ENV functionality sed -e "/SUBJECTALTNAME/s|\$ENV::SUBJECTALTNAME|email:tom@host1,email:dick@host2,e= mail:harry@host3|1" /pki/etc/openssl.cnf > /md/openssl.cnf openssl ca -config /md/openssl.cnf ... sed -e '/SUBJECTALTNAME/s|$ENV::SUBJECTALTNAME|email:tom@host1,email:dick@host2,em= ail:harry@host3|1' /pki/etc/openssl.cnf > /md/openssl.cnf A better approach is to switch "on" libressl's ability to read an openssl.c= nf file, rather than removing that which makes openssl.cnf useful. (And if anyone has the C skills, a starting point may be grep ENV work/openssl-1.0.2l/*/* | cut -d: -f1 | sort -u but most of the work is in ca.c) References:=20 https://readlist.com/lists/openbsd.org/misc/34/170969.html http://marc.info/?l=3Dopenbsd-ports&m=3D144604049719515&w=3D2 https://github.com/OpenVPN/easy-rsa/issues/76 --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-221310-13>