Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 160314

Summary: dev-libs/openssl - /etc/ssl/openssl.cnf prevents valid CA from being generated
Product: Gentoo Linux Reporter: Bjarke Istrup Pedersen (RETIRED) <gurligebis>
Component: New packagesAssignee: Gentoo's Team for Core System packages <base-system>
Status: RESOLVED UPSTREAM    
Severity: normal CC: dick
Priority: High    
Version: unspecified   
Hardware: All   
OS: Other   
URL: http://calvin.lplug.org/pipermail/lplug/2006-June/000220.html
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: Patch that fixes the bug

Description Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2007-01-05 12:29:44 UTC 
There is a bug in /etc/ssl/openssl.cnf that prevents openssl from generating a valid CA.
It generates a CA, but the CA is not able to sign certificates, so that they are valid.

The problem is explained in the URL.
Comment 1 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2007-01-05 12:36:05 UTC 
Created attachment 105559 [details, diff]
Patch that fixes the bug

This patch fixes the bug in openssl.cnf
Comment 2 Jakub Moc (RETIRED) gentoo-dev 2007-01-05 14:12:43 UTC 
Kindly review http://bugs.gentoo.org/page.cgi?id=fields.html#bug_severity
Comment 3 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2007-01-06 08:42:39 UTC 
Okay, I have done that, shouldn't it be Major?
Major : major loss of function.

I would call not being able to run a CA with openssl a major loss of function ;-)
Anyway, the patch is straght forward, and works fine :-)
Comment 4 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2007-01-18 10:52:17 UTC 
Hmm, this makes it create every cert as a CA :(
Any ideas on how to get the CA generated as a CA, but the rest generated as normal certificates?
Comment 5 SpanKY gentoo-dev 2007-01-22 05:03:51 UTC 
i wouldnt really call it straight forward unless you're completely familiar with openssl/x509 ... i know i'm not

looking at the file, the default setup is for user based installs ... if you need to do something above and beyond that, modify the configuration file to suite your requirements (like any other config file in /etc)

if you disagree, please contact the openssl users list:
http://www.openssl.org/support/
Comment 6 Bjarke Istrup Pedersen (RETIRED) gentoo-dev 2007-02-14 15:08:31 UTC 
I agree, but then the CA.pl / CA.sh scripts should be fixed, since they have a -newca option, that is broken :-)
Comment 7 SpanKY gentoo-dev 2007-02-20 14:59:50 UTC 
*** Bug 167727 has been marked as a duplicate of this bug. ***
Comment 8 Dick Marinus 2007-02-20 16:01:29 UTC 
Just for the record, CA.pl works but CA.sh doesn't work... Can't we just remove CA.sh from the ebuild?
Comment 9 SpanKY gentoo-dev 2007-02-20 19:59:50 UTC 
none of the files are handled specially by the ebuild ... we install everything like the upstream openssl package intends

if a script is broken, then the openssl guys should know about it