On 07/07/2020 00:32, Richard Purdie wrote:
On Mon, 2020-07-06 at 18:23 +0300, Hannu Lounento wrote:
Some openssl command line operations like creating an X.509 CSR require
the file /usr/lib/ssl-1.1/openssl.cnf to exist and fail if it doesn't
root@qemux86-64:~# openssl req -out my.csr -new -newkey rsa:2048 -nodes
-keyout my.key
Can't open /usr/lib/ssl-1.1/openssl.cnf for reading, No such file or
directory
140289168594176:error:02001002:system library:fopen:No such file or
directory:../openssl-1.1.1g/crypto/bio/bss_file.c:69:fopen('/usr/lib/ssl-1.1/openssl.cnf','r')
140289168594176:error:2006D080:BIO routines:BIO_new_file:no such
file:../openssl-1.1.1g/crypto/bio/bss_file.c:76:
which is the case e.g. in core-image-minimal with just the
package openssl-bin added to the image by declaring
IMAGE_INSTALL_append = " openssl-bin"
e.g. in local.conf.
The file does not exist in the aforementioned image / configuration
because it is packaged to the main openssl package
FILES_${PN} =+ "${libdir}/ssl-1.1/*"
(there is no other FILES specification that would match the file either)
and
path/to/poky/build$ rpm --query --package --list
tmp/deploy/rpm/core2_64/openssl-1.1.1g-r0.core2_64.rpm
[...]
/usr/lib/ssl-1.1/openssl.cnf
[...]
Hence make the ${PN}-bin package rdepend on the main package to have the
required file /usr/lib/ssl-1.1/openssl.cnf installed.
Note that the openssl recipe has the comment
Add the openssl.cnf file to the openssl-conf package. Make the libcrypto
package RRECOMMENDS on this package. This will enable the configuration
file to be installed for both the openssl-bin package and the libcrypto
package since the openssl-bin package depends on the libcrypto package.
but openssl-conf only contains /etc/ssl/openssl.cnf
path/to/poky/build$ rpm --query --package --list
tmp/deploy/rpm/core2_64/openssl-conf-1.1.1g-r0.core2_64.rpm
/etc
/etc/ssl
/etc/ssl/openssl.cnf
/usr/lib/ssl-1.1/openssl.cnf is actually only a symlink that points to
../../../etc/ssl/openssl.cnf.
Signed-off-by: Hannu Lounento <[email protected]>
---
meta/recipes-connectivity/openssl/openssl_1.1.1g.bb | 1 +
1 file changed, 1 insertion(+)
Perhaps the correct fix here is to move the config file in /usr to the
-conf package?
Ok, I sent v2. I also moved /usr/lib/ssl-1.1/openssl.cnf.dist as it
seemed closely related.
Hopefully the v2 is good because based on some quick research there have
been fairly many changes related to the configuration file and its
location due to various issues.
What I found out was that the commit
4d3c79df13920b4f095ae12caf43e866318c3143 in 2013 moved the file from
${PN}-misc to ${PN}-conf package and made libcrypto RRECOMMEND
${PN}-conf. In 2018 the commit 13e0be4efc23fcc1a71adba1b6707ecf59fbae29
moved the file into the main openssl package referencing a discussion on
the mailing list:
openssl: move the libdir openssl.cnf symlink into the openssl package
The openssl 1.0 recipe puts the libdir symlink to /etc/ssl/openssl.cnf
in the base openssl package (along with the libdir symlinks to
/etc/ssl/certs and /etc/ssl/private). Keep the openssl 1.1 recipe
aligned with that approach until there's a clear reason to do
something else. For more background, see comments in the following
thread:
http://lists.openembedded.org/pipermail/openembedded-core/2017-April/135176.html
(From OE-Core rev: 480335803928c95e7948f8c949127ccb5cbc7dbe)
Signed-off-by: Andre McCurdy <[email protected]>
Signed-off-by: Richard Purdie <[email protected]>
Additionally there were few other openssl.cnf related commits based on
grepping the history but those didn't seem that relevant:
bd6052d9d1 buildtools-tarball: export OPENSSL_CONF for openssl
a842b02a87 openssl: Handle -conf package file conflicts
f9ad66da9f openssl-nativesdk: Fix "can't open config file" warning
c1ce0d9a9e lib/oe/rootfs: Fix DEBUGFS generation for opkg & openssl-cnf
A change related to the aforementioned mailing list discussion was done
and reverted in 2017 but didn't seem relevant either:
7fe30a5df4 Revert "openssl: Fix symlink creation"
070f3aa74f openssl: Fix symlink creation
>
> Cheers,
>
> Richard
>
Thanks,
--
Hannu Lounento
[email protected]
-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#140378):
https://lists.openembedded.org/g/openembedded-core/message/140378
Mute This Topic: https://lists.openembedded.org/mt/75335126/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-
