如何确定openssl.cnf中的默认位置？ [英] How to determine the default location for openssl.cnf?

问题描述

背景

我在写这将使用OpenSSL生成一个证书签名请求bash脚本的采用X509v3扩展兼容的主题备用名称。

由于是这个，<无命令行选项href=\"http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html?m=1#c5955230974051418639\"相对=nofollow> 一直使用会同 -config 选项的解决方案的 -reqexts 通过内嵌追加SAN值默认的配置文件选项。

  OpenSSL的REQ -new -sha256  - 键domain.key -subj/ C = US / ST = CA / O = Acme的，Inc./CN=example.com-reqexts SAN -config≤（猫/etc/ssl/openssl.cnf文件≤（printf的[SAN] \\ nsubjectAltName = DNS：example.com，DNS：www.example.com））退房手续domain.csr
 

问题

我的问题是便携性。虽然类似的问题向我保证，这部作品在我的Ubuntu环境下，因为默认配置文件是 /etc/ssl/openssl.cnf文件，遗憾的是这不会工作无处不在，与Windows是明显的例子。

的如何编程确定的完整路径OpenSSL的默认的配置文​​件？的

我已经试过

有在文档一个明显的提示

  

-config文件名搜索
  这样就可以指定其他的配置文件，这将覆盖编译时文件名或在OPENSSL_CONF环境变量中任何指定的。

我读过配置文档和搜索的<一个HREF =htt​​ps://github.com/openssl/openssl相对=nofollow>来源$ C ​​$ C ，但我不能发现由它从何处来加载选择机制编译时间默认的配置文件。如果我能找到，那么我会preFER将其装载作为一个变量到脚本，而不是硬codeD路径。

此外，我的 $ OPENSSL_CONF 变量是空的。

个错误的选择

目前我的脚本检查这些条件，并使用计算结果为true第一个：

1. $ OPENSSL_CONF 变量填充，并且文件存在


2. /etc/ssl/openssl.cnf文件存在

如果没有那些都是真的，那么它包括一个标准配置的副本。因为这实际上将覆盖客户端建立的自定义设置，这是不可取的。我想完全使用环境的条件，而只需添加SAN部分作为附录。

我可以进一步与通常的嫌疑人，甚至一个系统搜索的路径延伸这条产业链。但是，在多个存在的情况下，那我也不能保证它的实际上是使用OpenSSL的作为默认值。

解决方案

  

我如何编程方式确定的完整路径OpenSSL的默认配置文件？

编程，它一样容易使用 OPENSSLDIR 宏从 opensslconf.h ：

$猫/usr/local/ssl/darwin/include/openssl/opensslconf.h | grep的OPENSSLDIR
＃如果定义（HEADER_CRYPTLIB_H）及和放大器; ！定义（OPENSSLDIR）
＃定义OPENSSLDIR在/ usr /本地/ SSL /达尔文


---

  

如何确定openssl.cnf中的默认位置？

下面是更多的信息来帮助填补从另一个堆栈溢出问题的空白。这取决于你所使用OpenSSL的安装。

下面是简单的答案...图书馆和计划中的 OPENSSLDIR 查找 openssl.cnf中。 OPENSSLDIR 是一个配置选项，以及它与设置 - openssldir

我在3个不同的OpenSSL的一台MacBook（苹果，MacPort的和一个我建）：

＃苹果
$的/ usr / bin中/ OpenSSL的版本-a | grep的OPENSSLDIR
OPENSSLDIR：/系统/库/ OpenSSL的＃MacPorts的
$ /选择/ local / bin目录/ OpenSSL的版本-a | grep的OPENSSLDIR
OPENSSLDIR：/选择/本地/ etc / OpenSSL的＃我的OpenSSL构建
$ OpenSSL的版本-a | grep的OPENSSLDIR
OPENSSLDIR：在/ usr /本地/ SSL /达尔文


下面是较长的答案... ...它是一种埋在OpenSSL的来源$ C ​​$ C为 apps.c ， load_config 和时会发生什么 CNF 是 NULL （即无 -config 选项或 OPENSSL_CONF ENVAR）。当 CNF 是 NULL 并没有覆盖，那么 OPENSSLDIR 是用了。

INT load_config（BIO *犯错，CONF * CNF）
{
    静态INT load_config_called = 0;
    如果（load_config_called）
        返回1;
    load_config_called = 1;
    如果（！CNF）
        CNF =配置;
    如果（！CNF）
        返回1;    OPENSSL_load_builtin_modules（）;    如果（CONF_modules_load（CNF，NULL，0）＆下; = 0）{
        BIO_printf（ERR错误配置的OpenSSL \\ n）;
        ERR_print_errors（ERR）;
        返回0;
    }
    返回1;
}


---

  

...因为默认的配置文件是 /etc/ssl/openssl.cnf文件这部作品在我的Ubuntu环境下，不幸的是这将不工作无处不在，与Windows是明显的例子。

这可能仍然是在Windows上对你的一个问题。如果你从源代码建立自己的OpenSSL你应该确定;模的长文件名在Windows处理（见问题＃4490：NMAKE安装失败。目标必须在目录\\ UTIL \\ copy.pl第39行关于）

如乡亲rel=\"nofollow\">闪亮灯和Win32 OpenSSL的提供安装和OpenSSL的不可以的被安装在包装机所设想的目录。我甚至见过的Unix目录，比如的/ usr /本地出现在Windows机器。

对于Windows，你最安全的赌注可能是设置 OPENSSL_CONF 环境变量来覆盖破碎的路径和路径处理错误。

---

另外，我不知道一个 CONF的_ * 或 nconf中_ * API调用，让你有效目录中运行。在这里，有效目录将是配置目录再加之类的东西 OPENSSL_CONF 覆盖。现在OpenSSL的用户列表中打开：在运行时获取有效OPENSSLDIR路径？

Background

I'm writing a bash script that will use openssl to generate a certificate signing request with X509v3 extension compliant subject alternative names.

Since there's no command line option for this, a solution has been to use the -config option in conjunction with the -reqexts option by appending the SAN values inline to the default configuration file.

openssl req -new -sha256 -key domain.key -subj "/C=US/ST=CA/O=Acme, Inc./CN=example.com" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com")) -out domain.csr

Question

My problem is portability. While a similar question assures me that this works in my Ubuntu environment because the default configuration file is /etc/ssl/openssl.cnf, unfortunately this won't work everywhere, with Windows being the obvious example.

How do I programmatically determine the full path to the openssl default configuration file?

What I've Tried

There's a glaring hint in the documentation

-config filename
this allows an alternative configuration file to be specified, this overrides the compile time filename or any specified in the OPENSSL_CONF environment variable.

I've read the config documentation and searched the source code, but I can't discover the mechanism by which it chooses from where to load the "compile time" default config file. If I could find that, then I would prefer to load it as a variable into the script instead of the hard-coded path.

Moreover, my $OPENSSL_CONF variable is empty.

A Bad Alternative

Currently my script checks these conditions, and uses the first one that evaluates to true:

1. $OPENSSL_CONF variable is populated, and file exists
2. /etc/ssl/openssl.cnf exists

If neither of those are true, then it includes a copy of a standard configuration. This is undesirable because it would in effect override custom settings established by the client. I want to use the environment's conditions completely, and simply add the SAN section as an addendum.

I could further extend this chain with the paths of the usual suspects or even a system search. But in the event that multiple exist, then I have no assurance of which is in fact used by openssl as a default.

解决方案

How do I programmatically determine the full path to the openssl default configuration file?

Programmatically, its as easy as using the OPENSSLDIR macro from opensslconf.h:

$ cat /usr/local/ssl/darwin/include/openssl/opensslconf.h | grep OPENSSLDIR
#if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR)
#define OPENSSLDIR "/usr/local/ssl/darwin"

---

How to determine the default location for openssl.cnf?

Here's more information to help fill in the gaps from the other Stack Overflow question. It depends on the OpenSSL installation you are using.

Here's the short answer... The library and programs look for openssl.cnf in OPENSSLDIR. OPENSSLDIR is a configure option, and its set with --openssldir.

I'm on a MacBook with 3 different OpenSSL's (Apple's, MacPort's and the one I build):

# Apple    
$ /usr/bin/openssl version -a | grep OPENSSLDIR
OPENSSLDIR: "/System/Library/OpenSSL"

# MacPorts
$ /opt/local/bin/openssl version -a | grep OPENSSLDIR
OPENSSLDIR: "/opt/local/etc/openssl"

# My build of OpenSSL
$ openssl version -a | grep OPENSSLDIR
OPENSSLDIR: "/usr/local/ssl/darwin"

Here's the longer answer... It is kind of buried in OpenSSL source code for apps.c, load_config and what happens when cnf is NULL (i.e., no -config option or OPENSSL_CONF envar). When cnf is NULL and no overrides, then OPENSSLDIR is used.

int load_config(BIO *err, CONF *cnf)
{
    static int load_config_called = 0;
    if (load_config_called)
        return 1;
    load_config_called = 1;
    if (!cnf)
        cnf = config;
    if (!cnf)
        return 1;

    OPENSSL_load_builtin_modules();

    if (CONF_modules_load(cnf, NULL, 0) <= 0) {
        BIO_printf(err, "Error configuring OpenSSL\n");
        ERR_print_errors(err);
        return 0;
    }
    return 1;
}

---

... this works in my Ubuntu environment because the default configuration file is /etc/ssl/openssl.cnf, unfortunately this won't work everywhere, with Windows being the obvious example.

This may still be a problem for you on Windows. You should be OK if you build OpenSSL from sources yourself; modulo their long filename handling in Windows (also see Issue #4490: "nmake install" fails "Destination must be a directory at .\util\copy.pl line 39" on).

Folks like Shinning Light and Win32 OpenSSL provide installers, and OpenSSL may not be installed in the directory the packager envisioned. I've even seen Unix directories like /usr/local appear on Windows machines.

For Windows, your safest bet is probably set the OPENSSL_CONF environmental variable to override broken paths and path handling bugs.

---

Also, I'm not aware of a CONF_* or NCONF_* API call that gives you the effective directory at runtime. Here, the effective directory would be the configuration directory plus things like OPENSSL_CONF overrides. Now open on the OpenSSL User list: Get effective OPENSSLDIR path at runtime?

这篇关于如何确定openssl.cnf中的默认位置？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！