Dear LibreSSL developers! When using the ‘ca’ tool in OpenSSL, I have always been confused by the documentation, examples and source code:
the ‘ca’ tool seems to suggest using a ‘certs’ directory within the “default” directory hierarchy of a CA, but it neither uses nor properly documents that directory. The decision whether or how to use it should thus be left to the user. I could not find out whether there is software that actually *needs* it – people seem to just copy&paste OpenSSL-related how-tos and similar documentation around, without thinking about it or checking what the software does. I have concluded that the code, default config files and documentation is simply buggy, have grepped through it today, and created the attached patch against LibreSSL. As I do not understand all of how the code works, I’d be glad if some of you could review the patch. I hope you will find it useful. The portable version of LibreSSL builds with this patch under a Linux system; I have not verified other combinations. Cheers -- Nico
Since at least SSLeay-0.5.1 (released 1995-12-21) (but after SSLeay-0.4.5d, released 1995-11-15), a âcertsâ directory and an unused âENV_CERTSâ macro appear in the source code of ca (the minimal Certificate Authority application), the man pages and the configuration files included in the SSLeay/OpenSSL/LibreSSL package. That directory and the almost non-existent and wrong documentation has always been a source of great confusion for me when I wanted to use the ca tool. In fact, the directory seemed not to be used at all, but to be created and recommended by all the tools and how-tos out there on the WWW. After grepping through the current LibreSSL source code, I found out that the directory is in fact not used, so this patch against current LibreSSL removes that âcertsâ directory and the unused âENV_CERTSâ macro in the source code of the ca tool, as well as the misleading documentation about the âcertsâ directory. Note that for ts, the Time-Stamping Authority tool, a configuration file option named âcertsâ exists and points to a *file*; it is not touched by this patch. ânico, 2015-05-14T15:02:16+02:00 diff --git a/src/lib/libssl/src/apps/openssl.cnf b/src/lib/libssl/src/apps/openssl.cnf --- a/src/lib/libssl/src/apps/openssl.cnf +++ b/src/lib/libssl/src/apps/openssl.cnf @@ -39,7 +39,6 @@ [ CA_default ] dir = ./demoCA # Where everything is kept -certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of diff --git a/src/lib/libssl/src/doc/apps/ca.pod b/src/lib/libssl/src/doc/apps/ca.pod --- a/src/lib/libssl/src/doc/apps/ca.pod +++ b/src/lib/libssl/src/doc/apps/ca.pod @@ -592,7 +592,6 @@ ./demoCA/serial.old - CA serial number backup file ./demoCA/index.txt - CA text database file ./demoCA/index.txt.old - CA text database backup file - ./demoCA/certs - certificate output file ./demoCA/.rnd - CA random seed information =head1 ENVIRONMENT VARIABLES diff --git a/src/lib/libssl/src/test/CAss.cnf b/src/lib/libssl/src/test/CAss.cnf --- a/src/lib/libssl/src/test/CAss.cnf +++ b/src/lib/libssl/src/test/CAss.cnf @@ -32,7 +32,6 @@ [ CA_default ] dir = ./demoCA # Where everything is kept -certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of diff --git a/src/lib/libssl/src/test/CAtsa.cnf b/src/lib/libssl/src/test/CAtsa.cnf --- a/src/lib/libssl/src/test/CAtsa.cnf +++ b/src/lib/libssl/src/test/CAtsa.cnf @@ -25,7 +25,6 @@ [ CA_default ] dir = ./demoCA -certs = $dir/certs # Where the issued certs are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/newcerts # default place for new certs. diff --git a/src/lib/libssl/src/test/test.cnf b/src/lib/libssl/src/test/test.cnf --- a/src/lib/libssl/src/test/test.cnf +++ b/src/lib/libssl/src/test/test.cnf @@ -13,7 +13,6 @@ [ CA_default ] dir = ./demoCA # Where everything is kept -certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. new_certs_dir = $dir/new_certs # default place for new certs. diff --git a/src/usr.bin/openssl/ca.c b/src/usr.bin/openssl/ca.c --- a/src/usr.bin/openssl/ca.c +++ b/src/usr.bin/openssl/ca.c @@ -89,7 +89,6 @@ #define UTF8_IN "utf8" #define ENV_DIR "dir" -#define ENV_CERTS "certs" #define ENV_CRL_DIR "crl_dir" #define ENV_CA_DB "CA_DB" #define ENV_NEW_CERTS_DIR "new_certs_dir" diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1 --- a/src/usr.bin/openssl/openssl.1 +++ b/src/usr.bin/openssl/openssl.1 @@ -1307,7 +1307,6 @@ \&./demoCA/serial.old - CA serial number backup file \&./demoCA/index.txt - CA text database file \&./demoCA/index.txt.old - CA text database backup file -\&./demoCA/certs - certificate output file .Ed .Sh CA ENVIRONMENT VARIABLES .Ev OPENSSL_CONF
