Closed TinCanTech closed 3 months ago
The most sensible solution seems to be:
EASYRSA_REQ_CN
has been set, for commands that require EASYRSA_REQ_CN
.EASYRSA_SSL_CONF
to track the SSL-cnf in use by the command.OPENSSL_CONF
, set to EASYRSA_SSL_CONF
, as required.This only requires here-doc expansion, not sed
.
This immediately supports both OpenSSL and LibreSSL, without requiring differentiation!
If openssl-easyrsa.cnf
file in place is recognised, it can be ignored.
If not then it MUST be expanded by sed
.
OpenSSL
OpenSSL does not require any expansion of
openssl-easyrsa.cnf
and will use it as designed by EasyRSA.LibreSSL
LibreSSL does not allow
openssl-easyrsa.cnf
to contain any references to env-vars. Any attempt to do so fails.This means that ancillary code, such as
display_dn()
, must either use an expanded SSL config file or use no config file at all.Only the final, edited version of
openssl-easyrsa.cnf
needs to be expanded for the command in use. eg.sign-req
.Ancillary code
All ancillary code, eg.
display_dn()
~can useexport OPENSSL_CONF=/dev/null
, to avoid loading the current config file~.~This allows an unexpanded
openssl-easyrsa.cnf
to be used and edited by the script and only expanded prior to the final SSL command. eg.openssl x509
.~Here-doc use: OpenSSL
OpenSSL does not require expanding here-docs but can still use the built-in here-doc to provide an unexpanded
openssl-easyrsa.cnf
, when it is missing.Here-doc use: LibreSSL
Use of an expanded here-doc for LibreSSL can only be done before the main command is called. This is due to commands like
build-ca
, which editopenssl-easyrsa.cnf
on the fly. Using an expanded here-doc MUST be done afterEASYRSA_REQ_CN
is set, in order that the config file expands thecommonName
correctly. Expanding a here-doc, after editing the config file in place, incorrectly over-writes the changes made to the SSL config.This means that, expanding
openssl-easyrsa.cnf
for LibreSSL can only be done viased
(or possiblyawk
). Expansion cannot be done via a here-doc after the file has been edited.Conclusion
Expanding a here-doc for use by LibreSSL is incorrect. LibreSSL can use the unexpanded
openssl-easyrsa.cnf
, up until the command in use calls LibreSSL for the main command. Then usesed
for expansion. Thus, removing here-doc expansion is required.A here-doc can still be used to provide an unexpanded
openssl-easyrsa.cnf
, when it is missing from the installation.Alternate conclusion under consideration
It is possible to use here-doc expansion for LibreSSL, provided that the here-doc is expanded AFTER
EASYRSA_REQ_CN
is set and BEFORE any subsequent edits are made toopenssl-easyrsa.cnf
.~This would allow removal of
sed
expansion~ .. which is my preferred goal.sed
expansion ofopenssl-easyrsa.cnf
in-place (not generated), is ALWAYS required for LibreSSL. Therefore, it is preferred to generate this file, unless the file in-place is not an EasyRSA original.Notes:
sh.exe
does not support/dev/null
as an input source. However,OPENSSL_CONF='' "$EASYRSA_OPENSSL" req foo
does work. I have no idea why this works in Windows..