From owner-freebsd-ports-bugs@freebsd.org Mon Aug 7 13:32:22 2017 Return-Path: Delivered-To: freebsd-ports-bugs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3AC6EDD40F6 for ; Mon, 7 Aug 2017 13:32:22 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2001:1900:2254:206a::16:76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 285776C7F8 for ; Mon, 7 Aug 2017 13:32:22 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from bugs.freebsd.org ([127.0.1.118]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id v77DWLEb025529 for ; Mon, 7 Aug 2017 13:32:22 GMT (envelope-from bugzilla-noreply@freebsd.org) From: bugzilla-noreply@freebsd.org To: freebsd-ports-bugs@FreeBSD.org Subject: [Bug 221310] security/libressl migration inconsistency from openssl - removal of ENV functionality Date: Mon, 07 Aug 2017 13:32:21 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Ports & Packages X-Bugzilla-Component: Individual Port(s) X-Bugzilla-Version: Latest X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: dewayne@heuristicsystems.com.au X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: brnrd@freebsd.org X-Bugzilla-Flags: maintainer-feedback? X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter flagtypes.name Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Aug 2017 13:32:22 -0000 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D221310 Bug ID: 221310 Summary: security/libressl migration inconsistency from openssl - removal of ENV functionality Product: Ports & Packages Version: Latest Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: Individual Port(s) Assignee: brnrd@freebsd.org Reporter: dewayne@heuristicsystems.com.au Assignee: brnrd@freebsd.org Flags: maintainer-feedback?(brnrd@freebsd.org) The mechanism to pass environment variables such as COMMONNAME and SUBJECTALTNAME to openssl is via the ENV call in openssl.cnf. We instruct openssl to use an openssl.cnf file specially crafted for PKI purposes, via the openssl command -config. For example:=20 openssl ca -config $ext_file ... Unfortunately libressl has removed the ENV passing functionality, breaking = our PKI system and I'm sure many others (eg OpenVPN's easy_rsa). As a kludge, we're working around this issue with a really stupid approach below, though suggestions are welcome. This approach, I think, really defe= ats the purpose and intent of removing the ENV functionality sed -e "/SUBJECTALTNAME/s|\$ENV::SUBJECTALTNAME|email:tom@host1,email:dick@host2,e= mail:harry@host3|1" /pki/etc/openssl.cnf > /md/openssl.cnf openssl ca -config /md/openssl.cnf ... sed -e '/SUBJECTALTNAME/s|$ENV::SUBJECTALTNAME|email:tom@host1,email:dick@host2,em= ail:harry@host3|1' /pki/etc/openssl.cnf > /md/openssl.cnf A better approach is to switch "on" libressl's ability to read an openssl.c= nf file, rather than removing that which makes openssl.cnf useful. (And if anyone has the C skills, a starting point may be grep ENV work/openssl-1.0.2l/*/* | cut -d: -f1 | sort -u but most of the work is in ca.c) References:=20 https://readlist.com/lists/openbsd.org/misc/34/170969.html http://marc.info/?l=3Dopenbsd-ports&m=3D144604049719515&w=3D2 https://github.com/OpenVPN/easy-rsa/issues/76 --=20 You are receiving this mail because: You are the assignee for the bug.=