make-ca broken by openssl-1.1.0h
|Reported by:||Owned by:|
First reported by Ryan Marsaw on Sunday in http://lists.linuxfromscratch.org/pipermail/blfs-dev/2018-April/034321.html
This causes https to fail on new installs, and on upgraded installs from an earlier version of openssl the old certificates will be used if an attmpt is made to refresh the certs.
Upstream bug is https://github.com/openssl/openssl/issues/5772 (reported by debian, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894282 )
From an openssl comment after this was closed:
levitte commented 8 days ago
Side note: while I understand the nature of habit, I would urge those who can (and this most definitely includes Linux as far as I know) to switch to use openssl rehash. c_rehash is a kinda fallback script that will disappear at some point.
Meanwhile, in the absence of openssl-1.1.0j I suggest we try adding quotes to /usr/bin/c_rehash (on the make-ca page, before invoking make-ca) if they are not present.
I have suggested
sed -i -e s%'= /etc/ssl;%= "/etc/ssl";%' \ -e 's%= /usr;%= "/usr";%' /usr/bin/c_rehash
on the grounds that it looks as if it will do the right thing (nothing) if rerun, but I haven't confirmed that.
For the longer term, I guess we should move to openssl rehash.
I can take a look at confirming the sed can be run multiple times without breaking c_rehash.