#10626: make-ca broken by openssl-1.1.0h
--------------------+-----------------------
Reporter: ken@… | Owner: blfs-book
Type: defect | Status: new
Priority: high | Milestone: 8.3
Component: BOOK | Version: SVN
Severity: normal | Keywords:
--------------------+-----------------------
First reported by Ryan Marsaw on Sunday in
[http://lists.linuxfromscratch.org/pipermail/blfs-
dev/2018-April/034321.html]
This causes https to fail on new installs, and on upgraded installs from
an earlier version of openssl the old certificates will be used if an
attmpt is made to refresh the certs.
Upstream bug is [https://github.com/openssl/openssl/issues/5772]
(reported by debian, [https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=894282] )
From an openssl comment after this was closed:
levitte commented 8 days ago
Side note: while I understand the nature of habit, I would urge those who
can (and this most definitely includes Linux as far as I know) to switch
to use openssl rehash. c_rehash is a kinda fallback script that will
disappear at some point.
Meanwhile, in the absence of openssl-1.1.0j I suggest we try adding quotes
to /usr/bin/c_rehash (on the make-ca page, before invoking make-ca) if
they are not present.
I have suggested
{{{
sed -i -e s%'= /etc/ssl;%= "/etc/ssl";%' \
-e 's%= /usr;%= "/usr";%' /usr/bin/c_rehash
}}}
on the grounds that it looks as if it will do the right thing (nothing) if
rerun, but I haven't confirmed that.
For the longer term, I guess we should move to openssl rehash.
I can take a look at confirming the sed can be run multiple times without
breaking c_rehash.
--
Ticket URL: <http://wiki.linuxfromscratch.org/blfs/ticket/10626>
BLFS Trac <http://wiki.linuxfromscratch.org/blfs>
Beyond Linux From Scratch
--
http://lists.linuxfromscratch.org/listinfo/blfs-book
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page
