-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
LibreSSL: build-*-full
uses an incorrect SSL config file
#1149
Comments
From PR: #1150 Fixed example 1.0:
Note: Fixed example 1.1:
Note: Fixed example 1.2:
The correct |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When using LibreSSL the SSL config is expanded to
safessl-easyrsa.cnf
. However, the code reverts back to the last expandedopenssl-easyrsa.cnf
file, during the signing phasesign-req
.The simplest solution is to ALWAYS use
openssl-easyrsa.cnf
and ONLY expand it for use by LibreSSL wheneasyrsa_openssl
function is called. Effectively removing ALL use ofsafessl-easyrsa.cnf
.Example 1.0:
The
gen-req
phase correctly usesSafe SSL conf
above.temp.4.1
Example 1.1:
The Final SSL conf is set to
temp.5.1
Example 1.2:
The SSL conf file used by LibreSSL here is
temp.4.1
nottemp.5.1
, this drops the newly insertedcopy_extensions = copy
.Also, temp-file
temp.5.1
is not expanded to a Safe SSL config file.Example 1.3:
Completed.
So,
easyrsa
updates the wrong file when adding--copy-exts
data.For LibreSSL, the
safessl-easyrsa.cnf
file must be in use, notopenssl-easyrsa.cnf
.Using OpenSSL, the correct files are selected because there is no confusion about which SSL config file to use.
The text was updated successfully, but these errors were encountered: