如何确定openssl.cnf中的默认位置? [英] How to determine the default location for openssl.cnf?
问题描述
背景
我在写这将使用OpenSSL生成一个证书签名请求bash脚本的采用X509v3扩展兼容的主题备用名称。
由于是这个,<无命令行选项href=\"http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html?m=1#c5955230974051418639\"相对=nofollow> 一直使用会同 -config
选项的解决方案的 -reqexts
通过内嵌追加SAN值默认的配置文件选项。
OpenSSL的REQ -new -sha256 - 键domain.key -subj/ C = US / ST = CA / O = Acme的,Inc./CN=example.com-reqexts SAN -config≤(猫/etc/ssl/openssl.cnf文件≤(printf的[SAN] \\ nsubjectAltName = DNS:example.com,DNS:www.example.com))退房手续domain.csr
问题
我的问题是便携性。虽然类似的问题向我保证,这部作品在我的Ubuntu环境下,因为默认配置文件是 /etc/ssl/openssl.cnf文件
,遗憾的是这不会工作无处不在,与Windows是明显的例子。
的如何编程确定的完整路径OpenSSL的默认的配置文件?的
我已经试过
有在文档一个明显的提示
-config文件名搜索
这样就可以指定其他的配置文件,这将覆盖编译时文件名或在OPENSSL_CONF环境变量中任何指定的。
块引用>我读过配置文档和搜索的<一个HREF =https://github.com/openssl/openssl相对=nofollow>来源$ C $ C ,但我不能发现由它从何处来加载选择机制编译时间默认的配置文件。如果我能找到,那么我会preFER将其装载作为一个变量到脚本,而不是硬codeD路径。
此外,我的
$ OPENSSL_CONF
变量是空的。个错误的选择
目前我的脚本检查这些条件,并使用计算结果为true第一个:
$ OPENSSL_CONF
变量填充,并且文件存在/etc/ssl/openssl.cnf文件
存在如果没有那些都是真的,那么它包括一个标准配置的副本。因为这实际上将覆盖客户端建立的自定义设置,这是不可取的。我想完全使用环境的条件,而只需添加SAN部分作为附录。
我可以进一步与通常的嫌疑人,甚至一个系统搜索的路径延伸这条产业链。但是,在多个存在的情况下,那我也不能保证它的实际上是使用OpenSSL的作为默认值。
解决方案
我如何编程方式确定的完整路径OpenSSL的默认配置文件?
块引用>编程,它一样容易使用
OPENSSLDIR
宏从opensslconf.h
:$猫/usr/local/ssl/darwin/include/openssl/opensslconf.h | grep的OPENSSLDIR
#如果定义(HEADER_CRYPTLIB_H)及和放大器; !定义(OPENSSLDIR)
#定义OPENSSLDIR在/ usr /本地/ SSL /达尔文
如何确定openssl.cnf中的默认位置?
块引用>下面是更多的信息来帮助填补从另一个堆栈溢出问题的空白。这取决于你所使用OpenSSL的安装。
下面是简单的答案...图书馆和计划中的
OPENSSLDIR
查找openssl.cnf中
。OPENSSLDIR
是一个配置选项,以及它与设置 - openssldir
我在3个不同的OpenSSL的一台MacBook(苹果,MacPort的和一个我建):
#苹果
$的/ usr / bin中/ OpenSSL的版本-a | grep的OPENSSLDIR
OPENSSLDIR:/系统/库/ OpenSSL的#MacPorts的
$ /选择/ local / bin目录/ OpenSSL的版本-a | grep的OPENSSLDIR
OPENSSLDIR:/选择/本地/ etc / OpenSSL的#我的OpenSSL构建
$ OpenSSL的版本-a | grep的OPENSSLDIR
OPENSSLDIR:在/ usr /本地/ SSL /达尔文下面是较长的答案... ...它是一种埋在OpenSSL的来源$ C $ C为
apps.c
,load_config
和时会发生什么CNF
是NULL
(即无-config
选项或OPENSSL_CONF
ENVAR)。当CNF
是NULL
并没有覆盖,那么OPENSSLDIR
是用了。INT load_config(BIO *犯错,CONF * CNF)
{
静态INT load_config_called = 0;
如果(load_config_called)
返回1;
load_config_called = 1;
如果(!CNF)
CNF =配置;
如果(!CNF)
返回1; OPENSSL_load_builtin_modules(); 如果(CONF_modules_load(CNF,NULL,0)&下; = 0){
BIO_printf(ERR错误配置的OpenSSL \\ n);
ERR_print_errors(ERR);
返回0;
}
返回1;
}
...因为默认的配置文件是
/etc/ssl/openssl.cnf文件
这部作品在我的Ubuntu环境下,不幸的是这将不工作无处不在,与Windows是明显的例子。
块引用>这可能仍然是在Windows上对你的一个问题。如果你从源代码建立自己的OpenSSL你应该确定;模的长文件名在Windows处理(见问题#4490:NMAKE安装失败。目标必须在目录\\ UTIL \\ copy.pl第39行关于)
如乡亲rel=\"nofollow\">闪亮灯和Win32 OpenSSL的提供安装和OpenSSL的不可以的被安装在包装机所设想的目录。我甚至见过的Unix目录,比如的/ usr /本地
出现在Windows机器。对于Windows,你最安全的赌注可能是设置
OPENSSL_CONF
环境变量来覆盖破碎的路径和路径处理错误。另外,我不知道一个
CONF的_ *
或nconf中_ *
API调用,让你有效目录中运行。在这里,有效目录将是配置目录再加之类的东西OPENSSL_CONF
覆盖。现在OpenSSL的用户列表中打开:在运行时获取有效OPENSSLDIR路径?Background
I'm writing a bash script that will use openssl to generate a certificate signing request with X509v3 extension compliant subject alternative names.
Since there's no command line option for this, a solution has been to use the
-config
option in conjunction with the-reqexts
option by appending the SAN values inline to the default configuration file.openssl req -new -sha256 -key domain.key -subj "/C=US/ST=CA/O=Acme, Inc./CN=example.com" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:example.com,DNS:www.example.com")) -out domain.csr
Question
My problem is portability. While a similar question assures me that this works in my Ubuntu environment because the default configuration file is
/etc/ssl/openssl.cnf
, unfortunately this won't work everywhere, with Windows being the obvious example.How do I programmatically determine the full path to the openssl default configuration file?
What I've Tried
There's a glaring hint in the documentation
-config filename
this allows an alternative configuration file to be specified, this overrides the compile time filename or any specified in the OPENSSL_CONF environment variable.I've read the config documentation and searched the source code, but I can't discover the mechanism by which it chooses from where to load the "compile time" default config file. If I could find that, then I would prefer to load it as a variable into the script instead of the hard-coded path.
Moreover, my
$OPENSSL_CONF
variable is empty.A Bad Alternative
Currently my script checks these conditions, and uses the first one that evaluates to true:
$OPENSSL_CONF
variable is populated, and file exists/etc/ssl/openssl.cnf
existsIf neither of those are true, then it includes a copy of a standard configuration. This is undesirable because it would in effect override custom settings established by the client. I want to use the environment's conditions completely, and simply add the SAN section as an addendum.
I could further extend this chain with the paths of the usual suspects or even a system search. But in the event that multiple exist, then I have no assurance of which is in fact used by openssl as a default.
解决方案How do I programmatically determine the full path to the openssl default configuration file?
Programmatically, its as easy as using the
OPENSSLDIR
macro fromopensslconf.h
:$ cat /usr/local/ssl/darwin/include/openssl/opensslconf.h | grep OPENSSLDIR #if defined(HEADER_CRYPTLIB_H) && !defined(OPENSSLDIR) #define OPENSSLDIR "/usr/local/ssl/darwin"
How to determine the default location for openssl.cnf?
Here's more information to help fill in the gaps from the other Stack Overflow question. It depends on the OpenSSL installation you are using.
Here's the short answer... The library and programs look for
openssl.cnf
inOPENSSLDIR
.OPENSSLDIR
is a configure option, and its set with--openssldir
.I'm on a MacBook with 3 different OpenSSL's (Apple's, MacPort's and the one I build):
# Apple $ /usr/bin/openssl version -a | grep OPENSSLDIR OPENSSLDIR: "/System/Library/OpenSSL" # MacPorts $ /opt/local/bin/openssl version -a | grep OPENSSLDIR OPENSSLDIR: "/opt/local/etc/openssl" # My build of OpenSSL $ openssl version -a | grep OPENSSLDIR OPENSSLDIR: "/usr/local/ssl/darwin"
Here's the longer answer... It is kind of buried in OpenSSL source code for
apps.c
,load_config
and what happens whencnf
isNULL
(i.e., no-config
option orOPENSSL_CONF
envar). Whencnf
isNULL
and no overrides, thenOPENSSLDIR
is used.int load_config(BIO *err, CONF *cnf) { static int load_config_called = 0; if (load_config_called) return 1; load_config_called = 1; if (!cnf) cnf = config; if (!cnf) return 1; OPENSSL_load_builtin_modules(); if (CONF_modules_load(cnf, NULL, 0) <= 0) { BIO_printf(err, "Error configuring OpenSSL\n"); ERR_print_errors(err); return 0; } return 1; }
... this works in my Ubuntu environment because the default configuration file is
/etc/ssl/openssl.cnf
, unfortunately this won't work everywhere, with Windows being the obvious example.This may still be a problem for you on Windows. You should be OK if you build OpenSSL from sources yourself; modulo their long filename handling in Windows (also see Issue #4490: "nmake install" fails "Destination must be a directory at .\util\copy.pl line 39" on).
Folks like Shinning Light and Win32 OpenSSL provide installers, and OpenSSL may not be installed in the directory the packager envisioned. I've even seen Unix directories like
/usr/local
appear on Windows machines.For Windows, your safest bet is probably set the
OPENSSL_CONF
environmental variable to override broken paths and path handling bugs.
Also, I'm not aware of a
CONF_*
orNCONF_*
API call that gives you the effective directory at runtime. Here, the effective directory would be the configuration directory plus things likeOPENSSL_CONF
overrides. Now open on the OpenSSL User list: Get effective OPENSSLDIR path at runtime?这篇关于如何确定openssl.cnf中的默认位置?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!