>I just spent 30 minutes playing with easy-rsa which is shipped broken on >5.8 until I realized what was going on. I see that sthen has already >reverted easy-rsa to OpenSSL run dependency per comment > >switch easy-rsa to using openssl to unbreak; libressl doesn't allow >$ENV:: in config files and easy-arrrrsa uses this heavily. > >Moving forward should I even bother with easy-rsa and just use vanilla >libressl to generate certificates? What is the recommendation for this >port in the light of libressl "incompatibilities".
the ENV support was removed because a library cannot safely decide whether to honour or not honour environment variables in all situations. In OpenBSD, we can do this using issetugid, but there is no safe way to emulate such a check on other systems (we do it with a system call). The practice of communicating to libraries with environment variables like this is insane, and should be deprecated. Maybe you can talk to the authors nicely and see if they can find a better way...
