On 2015-10-25, Stuart Henderson <[email protected]> wrote: > On 2015/10/25 09:44, Theo de Raadt wrote: >> >I just spent 30 minutes playing with easy-rsa which is shipped broken on >> >5.8 until I realized what was going on. I see that sthen has already >> >reverted easy-rsa to OpenSSL run dependency per comment >> > >> >switch easy-rsa to using openssl to unbreak; libressl doesn't allow >> >$ENV:: in config files and easy-arrrrsa uses this heavily. >> > >> >Moving forward should I even bother with easy-rsa and just use vanilla >> >libressl to generate certificates? What is the recommendation for this >> >port in the light of libressl "incompatibilities". >> >> the ENV support was removed because a library cannot safely decide >> whether to honour or not honour environment variables in all situations. >> >> In OpenBSD, we can do this using issetugid, but there is no safe way >> to emulate such a check on other systems (we do it with a system >> call). >> >> The practice of communicating to libraries with environment variables >> like this is insane, and should be deprecated. Maybe you can talk to >> the authors nicely and see if they can find a better way... > > While on the subject, cert generation steps in the isakmpd(8) manual are > also broken by this. It's absolutely right IMHO that the library should not > honour these variables, but can anyone comment on how difficult/desirable > it would be for the openssl(1) tool to handle these internally?
reyk@ fixed this for iked by having the code generate a temporary configuration file for openssl(1) which has the correct variables set.
