Opened 7 years ago
Closed 7 years ago
#10626 closed defect (fixed)
make-ca broken by openssl-1.1.0h
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | high | Milestone: | 8.3 |
| Component: | BOOK | Version: | SVN |
| Severity: | normal | Keywords: | |
| Cc: |
Description ¶
First reported by Ryan Marsaw on Sunday in http://lists.linuxfromscratch.org/pipermail/blfs-dev/2018-April/034321.html
This causes https to fail on new installs, and on upgraded installs from an earlier version of openssl the old certificates will be used if an attmpt is made to refresh the certs.
Upstream bug is https://github.com/openssl/openssl/issues/5772 (reported by debian, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894282 )
From an openssl comment after this was closed:
levitte commented 8 days ago
Side note: while I understand the nature of habit, I would urge those who can (and this most definitely includes Linux as far as I know) to switch to use openssl rehash. c_rehash is a kinda fallback script that will disappear at some point.
Meanwhile, in the absence of openssl-1.1.0j I suggest we try adding quotes to /usr/bin/c_rehash (on the make-ca page, before invoking make-ca) if they are not present.
I have suggested
sed -i -e s%'= /etc/ssl;%= "/etc/ssl";%' \
-e 's%= /usr;%= "/usr";%' /usr/bin/c_rehash
on the grounds that it looks as if it will do the right thing (nothing) if rerun, but I haven't confirmed that.
For the longer term, I guess we should move to openssl rehash.
I can take a look at confirming the sed can be run multiple times without breaking c_rehash.
Change History (5)
follow-ups: 3 4 comment:1 by , 7 years ago
comment:2 by , 7 years ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 7 years ago
Replying to bdubbs:
For the sed, which we should also do, I suggest a minor change:
sed -e 's%= /etc/ssl;%= "/etc/ssl";%' \ -e 's%= /usr;%= "/usr";%' \ -i /usr/bin/c_rehashAnd if run a second time will do nothing because the " inserted the first time will prevent a match on subsequent applications.
Heh, I didn't notice that in my version the initial s%' has the quote at the end instead of the beginning. Weirdly, both work identically in sed-4.4 although mine is obviously incorrect.
comment:4 by , 7 years ago
Replying to bdubbs:
According to the c_rehash man page, c_rehash is the same as openssl rehash. What we have now is one line:
/usr/bin/c_rehash "${DESTDIR}${CERTDIR}" 2>&1>/dev/null
so if we change 'c_' with 'openssl ' we should be good.
Works for me. I can't be bothered to go through the github rigmarole of forking and sending a pull request, so I've sent a patch to DJ.
According to the c_rehash man page, c_rehash is the same as openssl rehash. What we have now is one line:
/usr/bin/c_rehash "${DESTDIR}${CERTDIR}" 2>&1>/dev/null
so if we change 'c_' with 'openssl ' we should be good.
For the sed, which we should also do, I suggest a minor change:
sed -e 's%= /etc/ssl;%= "/etc/ssl";%' \ -e 's%= /usr;%= "/usr";%' \ -i /usr/bin/c_rehashAnd if run a second time will do nothing because the " inserted the first time will prevent a match on subsequent applications.