New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ca behaviour with -spkac and stdout changed/broke text interface in 1.1.0i #8055
Comments
I suspect that this may have been introduced by the following commit (which was released in 1.1.0i): Associated pull request for that commit:
|
Breaking the interface seems like kind of a big deal. Can someone please comment on this? |
Looks like a possible bug to me. This is what is in the documentation: "When processing SPKAC format, the output is DER if the B<-out> Perhaps @levitte can comment. |
Does the following diff fix the issue for you? diff --git a/apps/ca.c b/apps/ca.c
index c69a2b5cdd..5b33fa6aa1 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -725,7 +725,7 @@ end_of_options:
/*****************************************************************/
if (req || gencrl) {
- if (spkac_file != NULL) {
+ if (spkac_file != NULL && outfile != NULL) {
output_der = 1;
batch = 1;
} |
So say the docs Fixes openssl#8055
There is a PR for this now, #8368 |
@levitte Thanks, that diff fixes my issue. |
No. The 1.1.0 series is in security-fix only mode. Therefore this bug fix does not qualify. |
Ah, okay, no worries. |
Correction: Ubuntu 18.04 LTS has 1.1.0g-2ubuntu4.3, and so does not have this regression. [1] https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/1797386/ Any idea when the fix for this issue will make it into a 1.1.1 series update? |
It will be in 1.1.1c which we have no date for yet. However we typically do a release every 3-4 months unless a pressing security issue requires us to do one earlier. 1.1.1b came out at the end of February. |
Will this be cherrypicked into https://github.com/openssl/openssl/commits/OpenSSL_1_1_1-stable/apps/ca.c ? i see other fixes on the 1_1_1 branch since 1.1.1b but not this one. |
Ah...#8368 was supposed to have been cherry-picked to 1.1.1 already, but it looks like it wasn't. I'll ping that PR. |
Just noting FTR that this regression fix did not make it into 1.1.1c (presumably due to the oversight mentioned above). So presumably this will be in the (yet-to-be released) 1.1.1d? |
Since around 1.1.0i, the following openssl ca command (with -spkac option and no -out option, i.e. use stdout) now generates binary certificate details rather than text (which breaks applications that parse that output):
This was observed in openssl-1.1.0i from Fedora 28:
openssl-1.1.0i-1.fc28.x86_64
In earlier versions it would output the PEM format Base64 encoded certificate data in a block surrounded with:
This interface change/breakage is quite painful.
The text was updated successfully, but these errors were encountered: