Opened 6 years ago

Closed 6 years ago

#10626 closed defect (fixed)

make-ca broken by openssl-1.1.0h

Reported by: ken@… Owned by: ken@…
Priority: high Milestone: 8.3
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

First reported by Ryan Marsaw on Sunday in http://lists.linuxfromscratch.org/pipermail/blfs-dev/2018-April/034321.html

This causes https to fail on new installs, and on upgraded installs from an earlier version of openssl the old certificates will be used if an attmpt is made to refresh the certs.

Upstream bug is https://github.com/openssl/openssl/issues/5772 (reported by debian, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=894282 )

From an openssl comment after this was closed:

levitte commented 8 days ago

Side note: while I understand the nature of habit, I would urge those who can (and this most definitely includes Linux as far as I know) to switch to use openssl rehash. c_rehash is a kinda fallback script that will disappear at some point.

Meanwhile, in the absence of openssl-1.1.0j I suggest we try adding quotes to /usr/bin/c_rehash (on the make-ca page, before invoking make-ca) if they are not present.

I have suggested

sed -i -e s%'= /etc/ssl;%= "/etc/ssl";%' \
       -e 's%= /usr;%= "/usr";%' /usr/bin/c_rehash

on the grounds that it looks as if it will do the right thing (nothing) if rerun, but I haven't confirmed that.

For the longer term, I guess we should move to openssl rehash.

I can take a look at confirming the sed can be run multiple times without breaking c_rehash.

Change History (5)

comment:1 by Bruce Dubbs, 6 years ago

According to the c_rehash man page, c_rehash is the same as openssl rehash. What we have now is one line:

/usr/bin/c_rehash "${DESTDIR}${CERTDIR}" 2>&1>/dev/null

so if we change 'c_' with 'openssl ' we should be good.


For the sed, which we should also do, I suggest a minor change:

sed -e 's%= /etc/ssl;%= "/etc/ssl";%' \
    -e 's%= /usr;%= "/usr";%'         \
    -i /usr/bin/c_rehash

And if run a second time will do nothing because the " inserted the first time will prevent a match on subsequent applications.

comment:2 by ken@…, 6 years ago

Owner: changed from blfs-book to ken@…
Status: newassigned

in reply to:  1 comment:3 by ken@…, 6 years ago

Replying to bdubbs:

For the sed, which we should also do, I suggest a minor change:

sed -e 's%= /etc/ssl;%= "/etc/ssl";%' \
    -e 's%= /usr;%= "/usr";%'         \
    -i /usr/bin/c_rehash

And if run a second time will do nothing because the " inserted the first time will prevent a match on subsequent applications.

Heh, I didn't notice that in my version the initial s%' has the quote at the end instead of the beginning. Weirdly, both work identically in sed-4.4 although mine is obviously incorrect.

in reply to:  1 comment:4 by ken@…, 6 years ago

Replying to bdubbs:

According to the c_rehash man page, c_rehash is the same as openssl rehash. What we have now is one line:

/usr/bin/c_rehash "${DESTDIR}${CERTDIR}" 2>&1>/dev/null

so if we change 'c_' with 'openssl ' we should be good.

Works for me. I can't be bothered to go through the github rigmarole of forking and sending a pull request, so I've sent a patch to DJ.

comment:5 by ken@…, 6 years ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.