On 2015-09-19, Stuart Henderson <[email protected]> wrote: > On 2015/09/19 06:44, Stuart Henderson wrote: >> CVSROOT: /cvs >> Module name: ports >> Changes by: [email protected] 2015/09/19 06:44:38 >> >> Modified files: >> security/easy-rsa: Makefile >> Added files: >> security/easy-rsa/patches: patch-easy-rsa_1_0_build-ca >> patch-easy-rsa_1_0_build-dh >> patch-easy-rsa_1_0_build-inter >> patch-easy-rsa_1_0_build-key >> patch-easy-rsa_1_0_build-key-pass >> patch-easy-rsa_1_0_build-key-pkcs12 >> patch-easy-rsa_1_0_build-key-server >> patch-easy-rsa_1_0_build-req >> patch-easy-rsa_1_0_build-req-pass >> patch-easy-rsa_1_0_list-crl >> patch-easy-rsa_1_0_make-crl >> patch-easy-rsa_1_0_revoke-crt >> patch-easy-rsa_1_0_revoke-full >> patch-easy-rsa_1_0_sign-req >> patch-easy-rsa_2_0_pkitool >> >> Log message: >> switch easy-rsa to using openssl to unbreak; libressl doesn't allow $ENV:: >> in config files and easy-arrrrsa uses this heavily. >> > > Very much non-ideal, but I don't see a better way given how easy-rsa > works. It looks like TinyCA will have a similar problem, and the > isakmpd(8) manual also needs revising as it passes env variables > in to generate subjectAltName fields.
ikectl(8) hit a similar problem because it used $ENV in 'ikectl ca vpn create'. However reyk@ rewrote the certificate generation routine in ikectl to do string replacements from $ENV before passing the conf file over to libressl. Maybe this can be generalized to solve the $ENV problem.
