diff -Naur a/apps/openssl/apps.c b/apps/openssl/apps.c --- a/apps/openssl/apps.c 2024-09-25 09:30:06.000000000 +0600 +++ b/apps/openssl/apps.c 2025-01-09 22:24:46.419234126 +0600 @@ -1069,7 +1069,7 @@ const char *t = X509_get_default_cert_area(); char *p; - if (asprintf(&p, "%s/openssl.cnf", t) == -1) + if (asprintf(&p, "%s/libressl.cnf", t) == -1) return NULL; return p; } diff -Naur a/CMakeLists.txt b/CMakeLists.txt --- a/CMakeLists.txt 2024-10-08 16:16:19.000000000 +0600 +++ b/CMakeLists.txt 2025-01-09 22:34:00.078411167 +0600 @@ -531,7 +531,7 @@ DESTINATION ${CMAKE_INSTALL_LIBDIR}) endif() - install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR}) + install(FILES cert.pem libressl.cnf x509v3.cnf DESTINATION ${CONF_DIR}) install(DIRECTORY DESTINATION ${CONF_DIR}/certs) if(NOT TARGET uninstall) diff -Naur a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c --- a/crypto/conf/conf_mod.c 2024-09-25 09:30:06.000000000 +0600 +++ b/crypto/conf/conf_mod.c 2025-01-09 22:22:06.849337107 +0600 @@ -485,7 +485,7 @@ { char *file = NULL; - if (asprintf(&file, "%s/openssl.cnf", + if (asprintf(&file, "%s/libressl.cnf", X509_get_default_cert_area()) == -1) return (NULL); return file; diff -Naur a/libressl.cnf b/libressl.cnf --- a/libressl.cnf 1970-01-01 06:00:00.000000000 +0600 +++ b/libressl.cnf 2023-07-05 14:08:27.000000000 +0600 @@ -0,0 +1,24 @@ +[ req ] +#default_bits = 2048 +#default_md = sha256 +#default_keyfile = privkey.pem +distinguished_name = req_distinguished_name +attributes = req_attributes + +[ req_distinguished_name ] +countryName = Country Name (2 letter code) +countryName_min = 2 +countryName_max = 2 +stateOrProvinceName = State or Province Name (full name) +localityName = Locality Name (eg, city) +0.organizationName = Organization Name (eg, company) +organizationalUnitName = Organizational Unit Name (eg, section) +commonName = Common Name (eg, fully qualified host name) +commonName_max = 64 +emailAddress = Email Address +emailAddress_max = 64 + +[ req_attributes ] +challengePassword = A challenge password +challengePassword_min = 4 +challengePassword_max = 20 diff -Naur a/Makefile.am b/Makefile.am --- a/Makefile.am 2024-05-28 19:25:41.000000000 +0600 +++ b/Makefile.am 2025-01-09 22:23:13.342877490 +0600 @@ -12,7 +12,7 @@ EXTRA_DIST = README.md README.mingw.md VERSION config scripts EXTRA_DIST += CMakeLists.txt cmake_export_symbol.cmake cmake_uninstall.cmake.in FindLibreSSL.cmake LibreSSLConfig.cmake.in -EXTRA_DIST += cert.pem openssl.cnf x509v3.cnf +EXTRA_DIST += cert.pem libressl.cnf x509v3.cnf .PHONY: install_sw install_sw: install @@ -24,7 +24,7 @@ OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \ fi; \ mkdir -p "$$OPENSSLDIR/certs"; \ - for i in cert.pem openssl.cnf x509v3.cnf; do \ + for i in cert.pem libressl.cnf x509v3.cnf; do \ if [ ! -f "$$OPENSSLDIR/$i" ]; then \ $(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \ else \ @@ -38,7 +38,7 @@ else \ OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \ fi; \ - for i in cert.pem openssl.cnf x509v3.cnf; do \ + for i in cert.pem libressl.cnf x509v3.cnf; do \ if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \ rm -f "$$OPENSSLDIR/$$i"; \ fi \ diff -Naur a/Makefile.in b/Makefile.in --- a/Makefile.in 2024-10-14 10:53:04.000000000 +0600 +++ b/Makefile.in 2025-01-09 22:25:23.906975003 +0600 @@ -374,7 +374,7 @@ EXTRA_DIST = README.md README.mingw.md VERSION config scripts \ CMakeLists.txt cmake_export_symbol.cmake \ cmake_uninstall.cmake.in FindLibreSSL.cmake \ - LibreSSLConfig.cmake.in cert.pem openssl.cnf x509v3.cnf + LibreSSLConfig.cmake.in cert.pem libressl.cnf x509v3.cnf all: all-recursive .SUFFIXES: @@ -895,7 +895,7 @@ OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \ fi; \ mkdir -p "$$OPENSSLDIR/certs"; \ - for i in cert.pem openssl.cnf x509v3.cnf; do \ + for i in cert.pem libressl.cnf x509v3.cnf; do \ if [ ! -f "$$OPENSSLDIR/$i" ]; then \ $(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \ else \ @@ -909,7 +909,7 @@ else \ OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \ fi; \ - for i in cert.pem openssl.cnf x509v3.cnf; do \ + for i in cert.pem libressl.cnf x509v3.cnf; do \ if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \ rm -f "$$OPENSSLDIR/$$i"; \ fi \ diff -Naur a/man/libressl.cnf.5 b/man/libressl.cnf.5 --- a/man/libressl.cnf.5 1970-01-01 06:00:00.000000000 +0600 +++ b/man/libressl.cnf.5 2025-01-09 22:33:23.437663998 +0600 @@ -0,0 +1,361 @@ +.\" $OpenBSD: openssl.cnf.5,v 1.11 2024/07/08 15:02:28 jmc Exp $ +.\" full merge up to: OpenSSL man5/config b53338cb Feb 28 12:30:28 2017 +0100 +.\" selective merge up to: OpenSSL a8c5ed81 Jul 18 13:57:25 2017 -0400 +.\" +.\" This file was written by Dr. Stephen Henson . +.\" Copyright (c) 1999, 2000, 2004, 2013, 2015, 2016, 2017 The OpenSSL Project. +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in +.\" the documentation and/or other materials provided with the +.\" distribution. +.\" +.\" 3. All advertising materials mentioning features or use of this +.\" software must display the following acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +.\" +.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +.\" endorse or promote products derived from this software without +.\" prior written permission. For written permission, please contact +.\" openssl-core@openssl.org. +.\" +.\" 5. Products derived from this software may not be called "OpenSSL" +.\" nor may "OpenSSL" appear in their names without prior written +.\" permission of the OpenSSL Project. +.\" +.\" 6. Redistributions of any form whatsoever must retain the following +.\" acknowledgment: +.\" "This product includes software developed by the OpenSSL Project +.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +.\" OF THE POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: July 8 2024 $ +.Dt OPENSSL.CNF 5 +.Os +.Sh NAME +.Nm libressl.cnf +.Nd OpenSSL configuration files +.Sh DESCRIPTION +The OpenSSL CONF library can be used to read configuration files; see +.Xr CONF_modules_load_file 3 . +It is used for the OpenSSL master configuration file +.Pa /etc/pki/tls/libressl.cnf +and in a few other places such as certificate extension files for the +.Xr openssl 1 +.Cm x509 +utility. +OpenSSL applications can also use the CONF library for their own +purposes. +.Pp +A configuration file is divided into a number of sections. +Each section starts with a line +.Bq Ar section_name +and ends when a new section is started or the end of the file is reached. +A section name can consist of alphanumeric characters and underscores. +.Pp +The first section of a configuration file is special and is referred to +as the +.Dq default section . +It is usually unnamed and extends from the start of file to the +first named section. +When a name is being looked up, it is first looked up in a named +section (if any) and then in the default section. +.Pp +The environment is mapped onto a section called +.Ic ENV . +.Pp +Comments can be included by preceding them with the +.Ql # +character. +.Pp +Each section in a configuration file consists of a number of name and +value pairs of the form +.Ar name Ns = Ns Ar value . +.Pp +The +.Ar name +string can contain any alphanumeric characters as well as a few +punctuation symbols such as +.Ql \&. +.Ql \&, +.Ql \&; +and +.Ql _ . +.Pp +The +.Ar value +string consists of the string following the +.Ql = +character until the end of the line with any leading and trailing +whitespace removed. +.Pp +The value string undergoes variable expansion. +This can be done by including substrings of the form +.Pf $ Ar name +or +.Pf $ Brq Ar name : +this will substitute the value of the named variable in the current +section. +It is also possible to substitute a value from another section using the +syntax +.Pf $ Ar section Ns :: Ns Ar name +or +.Pf $ Brq Ar section Ns :: Ns Ar name . +By using the form +.Pf $ Ic ENV Ns :: Ns Ar name , +environment variables can be substituted. +It is also possible to assign values to environment variables by using +the name +.Ic ENV Ns :: Ns Ar name . +This will work if the program looks up environment variables using +the CONF library instead of calling +.Xr getenv 3 +directly. +The value string must not exceed 64k in length after variable expansion or an +error will occur. +.Pp +It is possible to escape certain characters by using any kind of quote +or the +.Ql \e +character. +By making the last character of a line a +.Ql \e , +a +.Ar value +string can be spread across multiple lines. +In addition the sequences +.Ql \en , +.Ql \er , +.Ql \eb , +and +.Ql \et +are recognized. +.Sh OPENSSL LIBRARY CONFIGURATION +Applications can automatically configure certain aspects of OpenSSL +using the master OpenSSL configuration file, or optionally an +alternative configuration file. +The +.Xr openssl 1 +utility includes this functionality: any sub command uses the master +OpenSSL configuration file unless an option is used in the sub command +to use an alternative configuration file. +.Pp +To enable library configuration, the default section needs to contain +an appropriate line which points to the main configuration section. +The default name is +.Ic openssl_conf , +which is used by the +.Xr openssl 1 +utility. +Other applications may use an alternative name such as +.Sy myapplication_conf . +All library configuration lines appear in the default section +at the start of the configuration file. +.Pp +The configuration section should consist of a set of name value pairs +which contain specific module configuration information. +The +.Ar name +represents the name of the configuration module. +The meaning of the +.Ar value +is module specific: it may, for example, represent a further +configuration section containing configuration module specific +information. +For example: +.Bd -literal -offset indent +# The following line must be in the default section. +openssl_conf = openssl_init + +[openssl_init] +oid_section = new_oids + +[new_oids] +\&... new oids here ... +.Ed +.Pp +The features of each configuration module are described below. +.Ss ASN1 Object Configuration Module +This module has the name +.Ic oid_section . +The value of this variable points to a section containing name value +pairs of OIDs: the name is the OID short and long name, and the value is the +numerical form of the OID. +Although some of the +.Xr openssl 1 +utility subcommands already have their own ASN1 OBJECT section +functionality, not all do. +By using the ASN1 OBJECT configuration module, all the +.Xr openssl 1 +utility subcommands can see the new objects as well as any compliant +applications. +For example: +.Bd -literal -offset indent +[new_oids] +some_new_oid = 1.2.3.4 +some_other_oid = 1.2.3.5 +.Ed +.Pp +It is also possible to set the value to the long name followed by a +comma and the numerical OID form. +For example: +.Pp +.Dl shortName = some object long name, 1.2.3.4 +.Sh FILES +.Bl -tag -width /etc/pki/tls/libressl.cnf -compact +.It Pa /etc/pki/tls/libressl.cnf +standard configuration file +.El +.Sh EXAMPLES +Here is a sample configuration file using some of the features +mentioned above: +.Bd -literal -offset indent +# This is the default section. +HOME=/temp +RANDFILE= ${ENV::HOME}/.rnd +configdir=$ENV::HOME/config + +[ section_one ] +# We are now in section one. + +# Quotes permit leading and trailing whitespace +any = " any variable name " + +other = A string that can \e +cover several lines \e +by including \e\e characters + +message = Hello World\en + +[ section_two ] +greeting = $section_one::message +.Ed +.Pp +This next example shows how to expand environment variables safely. +.Pp +Suppose you want a variable called +.Sy tmpfile +to refer to a temporary filename. +The directory it is placed in can determined by the +.Ev TEMP +or +.Ev TMP +environment variables but they may not be set to any value at all. +If you just include the environment variable names and the variable +doesn't exist then this will cause an error when an attempt is made to +load the configuration file. +By making use of the default section both values can be looked up with +.Ev TEMP +taking priority and +.Pa /tmp +used if neither is defined: +.Bd -literal -offset indent +TMP=/tmp +# The above value is used if TMP isn't in the environment +TEMP=$ENV::TMP +# The above value is used if TEMP isn't in the environment +tmpfile=${ENV::TEMP}/tmp.filename +.Ed +.Pp +More complex OpenSSL library configuration. +Add OID: +.Bd -literal -offset indent +# Default appname: should match "appname" parameter (if any) +# supplied to CONF_modules_load_file et al. +openssl_conf = openssl_conf_section + +[openssl_conf_section] +# Configuration module list +oid_section = new_oids + +[new_oids] +# New OID, just short name +newoid1 = 1.2.3.4.1 +# New OID shortname and long name +newoid2 = New OID 2 long name, 1.2.3.4.2 +.Ed +.Pp +The above examples can be used with any application supporting library +configuration if "openssl_conf" is modified to match the appropriate +"appname". +.Pp +For example if the second sample file above is saved to "example.cnf" +then the command line: +.Pp +.Dl OPENSSL_CONF=example.cnf openssl asn1parse -genstr OID:1.2.3.4.1 +.Pp +will output: +.Dl 0:d=0 hl=2 l= 4 prim: OBJECT :newoid1 +.Pp +showing that the OID "newoid1" has been added as "1.2.3.4.1". +.Sh SEE ALSO +.Xr openssl 1 , +.Xr CONF_modules_load_file 3 , +.Xr OPENSSL_config 3 , +.Xr x509v3.cnf 5 +.Sh CAVEATS +If a configuration file attempts to expand a variable that doesn't +exist, then an error is flagged and the file will not load. +This can also happen if an attempt is made to expand an environment +variable that doesn't exist. +For example, in a previous version of OpenSSL the default OpenSSL +master configuration file used the value of +.Ev HOME +which may not be defined on non Unix systems and would cause an error. +.Pp +This can be worked around by including a default section to provide +a default value: then if the environment lookup fails, the default +value will be used instead. +For this to work properly, the default value must be defined earlier +in the configuration file than the expansion. +See the +.Sx EXAMPLES +section for an example of how to do this. +.Pp +If the same variable is defined more than once in the same section, +then all but the last value will be silently ignored. +In certain circumstances such as with DNs, the same field may occur +multiple times. +This is usually worked around by ignoring any characters before an +initial +.Ql \&. , +for example: +.Bd -literal -offset indent +1.OU="My first OU" +2.OU="My Second OU" +.Ed +.Sh BUGS +Currently there is no way to include characters using the octal +.Pf \e Ar nnn +form. +Strings are all NUL terminated, so NUL bytes cannot form part of +the value. +.Pp +The escaping isn't quite right: if you want to use sequences like +.Ql \en , +you can't use any quote escaping on the same line. +.Pp +Files are loaded in a single pass. +This means that a variable expansion will only work if the variables +referenced are defined earlier in the file. diff -Naur a/man/Makefile.am b/man/Makefile.am --- a/man/Makefile.am 2024-10-14 10:52:54.000000000 +0600 +++ b/man/Makefile.am 2025-01-09 22:30:29.135866729 +0600 @@ -561,7 +561,7 @@ dist_man3_MANS += tls_load_file.3 dist_man3_MANS += tls_ocsp_process_response.3 dist_man3_MANS += tls_read.3 -dist_man5_MANS += openssl.cnf.5 +dist_man5_MANS += libressl.cnf.5 dist_man5_MANS += x509v3.cnf.5 install-data-hook: ln -sf "ACCESS_DESCRIPTION_new.3" "$(DESTDIR)$(mandir)/man3/ACCESS_DESCRIPTION_free.3" diff -Naur a/man/Makefile.in b/man/Makefile.in --- a/man/Makefile.in 2024-10-14 10:53:07.000000000 +0600 +++ b/man/Makefile.in 2025-01-09 22:30:39.821792993 +0600 @@ -686,7 +686,7 @@ @ENABLE_LIBTLS_ONLY_FALSE@ tls_init.3 tls_load_file.3 \ @ENABLE_LIBTLS_ONLY_FALSE@ tls_ocsp_process_response.3 \ @ENABLE_LIBTLS_ONLY_FALSE@ tls_read.3 -@ENABLE_LIBTLS_ONLY_FALSE@dist_man5_MANS = openssl.cnf.5 x509v3.cnf.5 +@ENABLE_LIBTLS_ONLY_FALSE@dist_man5_MANS = libressl.cnf.5 x509v3.cnf.5 all: all-am .SUFFIXES: diff -Naur a/man/openssl.cnf.5 b/man/openssl.cnf.5 --- a/man/openssl.cnf.5 2024-09-25 09:30:06.000000000 +0600 +++ b/man/openssl.cnf.5 1970-01-01 06:00:00.000000000 +0600 @@ -1,361 +0,0 @@ -.\" $OpenBSD: openssl.cnf.5,v 1.11 2024/07/08 15:02:28 jmc Exp $ -.\" full merge up to: OpenSSL man5/config b53338cb Feb 28 12:30:28 2017 +0100 -.\" selective merge up to: OpenSSL a8c5ed81 Jul 18 13:57:25 2017 -0400 -.\" -.\" This file was written by Dr. Stephen Henson . -.\" Copyright (c) 1999, 2000, 2004, 2013, 2015, 2016, 2017 The OpenSSL Project. -.\" All rights reserved. -.\" -.\" Redistribution and use in source and binary forms, with or without -.\" modification, are permitted provided that the following conditions -.\" are met: -.\" -.\" 1. Redistributions of source code must retain the above copyright -.\" notice, this list of conditions and the following disclaimer. -.\" -.\" 2. Redistributions in binary form must reproduce the above copyright -.\" notice, this list of conditions and the following disclaimer in -.\" the documentation and/or other materials provided with the -.\" distribution. -.\" -.\" 3. All advertising materials mentioning features or use of this -.\" software must display the following acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -.\" -.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -.\" endorse or promote products derived from this software without -.\" prior written permission. For written permission, please contact -.\" openssl-core@openssl.org. -.\" -.\" 5. Products derived from this software may not be called "OpenSSL" -.\" nor may "OpenSSL" appear in their names without prior written -.\" permission of the OpenSSL Project. -.\" -.\" 6. Redistributions of any form whatsoever must retain the following -.\" acknowledgment: -.\" "This product includes software developed by the OpenSSL Project -.\" for use in the OpenSSL Toolkit (http://www.openssl.org/)" -.\" -.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -.\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -.\" OF THE POSSIBILITY OF SUCH DAMAGE. -.\" -.Dd $Mdocdate: July 8 2024 $ -.Dt OPENSSL.CNF 5 -.Os -.Sh NAME -.Nm openssl.cnf -.Nd OpenSSL configuration files -.Sh DESCRIPTION -The OpenSSL CONF library can be used to read configuration files; see -.Xr CONF_modules_load_file 3 . -It is used for the OpenSSL master configuration file -.Pa /etc/ssl/openssl.cnf -and in a few other places such as certificate extension files for the -.Xr openssl 1 -.Cm x509 -utility. -OpenSSL applications can also use the CONF library for their own -purposes. -.Pp -A configuration file is divided into a number of sections. -Each section starts with a line -.Bq Ar section_name -and ends when a new section is started or the end of the file is reached. -A section name can consist of alphanumeric characters and underscores. -.Pp -The first section of a configuration file is special and is referred to -as the -.Dq default section . -It is usually unnamed and extends from the start of file to the -first named section. -When a name is being looked up, it is first looked up in a named -section (if any) and then in the default section. -.Pp -The environment is mapped onto a section called -.Ic ENV . -.Pp -Comments can be included by preceding them with the -.Ql # -character. -.Pp -Each section in a configuration file consists of a number of name and -value pairs of the form -.Ar name Ns = Ns Ar value . -.Pp -The -.Ar name -string can contain any alphanumeric characters as well as a few -punctuation symbols such as -.Ql \&. -.Ql \&, -.Ql \&; -and -.Ql _ . -.Pp -The -.Ar value -string consists of the string following the -.Ql = -character until the end of the line with any leading and trailing -whitespace removed. -.Pp -The value string undergoes variable expansion. -This can be done by including substrings of the form -.Pf $ Ar name -or -.Pf $ Brq Ar name : -this will substitute the value of the named variable in the current -section. -It is also possible to substitute a value from another section using the -syntax -.Pf $ Ar section Ns :: Ns Ar name -or -.Pf $ Brq Ar section Ns :: Ns Ar name . -By using the form -.Pf $ Ic ENV Ns :: Ns Ar name , -environment variables can be substituted. -It is also possible to assign values to environment variables by using -the name -.Ic ENV Ns :: Ns Ar name . -This will work if the program looks up environment variables using -the CONF library instead of calling -.Xr getenv 3 -directly. -The value string must not exceed 64k in length after variable expansion or an -error will occur. -.Pp -It is possible to escape certain characters by using any kind of quote -or the -.Ql \e -character. -By making the last character of a line a -.Ql \e , -a -.Ar value -string can be spread across multiple lines. -In addition the sequences -.Ql \en , -.Ql \er , -.Ql \eb , -and -.Ql \et -are recognized. -.Sh OPENSSL LIBRARY CONFIGURATION -Applications can automatically configure certain aspects of OpenSSL -using the master OpenSSL configuration file, or optionally an -alternative configuration file. -The -.Xr openssl 1 -utility includes this functionality: any sub command uses the master -OpenSSL configuration file unless an option is used in the sub command -to use an alternative configuration file. -.Pp -To enable library configuration, the default section needs to contain -an appropriate line which points to the main configuration section. -The default name is -.Ic openssl_conf , -which is used by the -.Xr openssl 1 -utility. -Other applications may use an alternative name such as -.Sy myapplication_conf . -All library configuration lines appear in the default section -at the start of the configuration file. -.Pp -The configuration section should consist of a set of name value pairs -which contain specific module configuration information. -The -.Ar name -represents the name of the configuration module. -The meaning of the -.Ar value -is module specific: it may, for example, represent a further -configuration section containing configuration module specific -information. -For example: -.Bd -literal -offset indent -# The following line must be in the default section. -openssl_conf = openssl_init - -[openssl_init] -oid_section = new_oids - -[new_oids] -\&... new oids here ... -.Ed -.Pp -The features of each configuration module are described below. -.Ss ASN1 Object Configuration Module -This module has the name -.Ic oid_section . -The value of this variable points to a section containing name value -pairs of OIDs: the name is the OID short and long name, and the value is the -numerical form of the OID. -Although some of the -.Xr openssl 1 -utility subcommands already have their own ASN1 OBJECT section -functionality, not all do. -By using the ASN1 OBJECT configuration module, all the -.Xr openssl 1 -utility subcommands can see the new objects as well as any compliant -applications. -For example: -.Bd -literal -offset indent -[new_oids] -some_new_oid = 1.2.3.4 -some_other_oid = 1.2.3.5 -.Ed -.Pp -It is also possible to set the value to the long name followed by a -comma and the numerical OID form. -For example: -.Pp -.Dl shortName = some object long name, 1.2.3.4 -.Sh FILES -.Bl -tag -width /etc/ssl/openssl.cnf -compact -.It Pa /etc/ssl/openssl.cnf -standard configuration file -.El -.Sh EXAMPLES -Here is a sample configuration file using some of the features -mentioned above: -.Bd -literal -offset indent -# This is the default section. -HOME=/temp -RANDFILE= ${ENV::HOME}/.rnd -configdir=$ENV::HOME/config - -[ section_one ] -# We are now in section one. - -# Quotes permit leading and trailing whitespace -any = " any variable name " - -other = A string that can \e -cover several lines \e -by including \e\e characters - -message = Hello World\en - -[ section_two ] -greeting = $section_one::message -.Ed -.Pp -This next example shows how to expand environment variables safely. -.Pp -Suppose you want a variable called -.Sy tmpfile -to refer to a temporary filename. -The directory it is placed in can determined by the -.Ev TEMP -or -.Ev TMP -environment variables but they may not be set to any value at all. -If you just include the environment variable names and the variable -doesn't exist then this will cause an error when an attempt is made to -load the configuration file. -By making use of the default section both values can be looked up with -.Ev TEMP -taking priority and -.Pa /tmp -used if neither is defined: -.Bd -literal -offset indent -TMP=/tmp -# The above value is used if TMP isn't in the environment -TEMP=$ENV::TMP -# The above value is used if TEMP isn't in the environment -tmpfile=${ENV::TEMP}/tmp.filename -.Ed -.Pp -More complex OpenSSL library configuration. -Add OID: -.Bd -literal -offset indent -# Default appname: should match "appname" parameter (if any) -# supplied to CONF_modules_load_file et al. -openssl_conf = openssl_conf_section - -[openssl_conf_section] -# Configuration module list -oid_section = new_oids - -[new_oids] -# New OID, just short name -newoid1 = 1.2.3.4.1 -# New OID shortname and long name -newoid2 = New OID 2 long name, 1.2.3.4.2 -.Ed -.Pp -The above examples can be used with any application supporting library -configuration if "openssl_conf" is modified to match the appropriate -"appname". -.Pp -For example if the second sample file above is saved to "example.cnf" -then the command line: -.Pp -.Dl OPENSSL_CONF=example.cnf openssl asn1parse -genstr OID:1.2.3.4.1 -.Pp -will output: -.Dl 0:d=0 hl=2 l= 4 prim: OBJECT :newoid1 -.Pp -showing that the OID "newoid1" has been added as "1.2.3.4.1". -.Sh SEE ALSO -.Xr openssl 1 , -.Xr CONF_modules_load_file 3 , -.Xr OPENSSL_config 3 , -.Xr x509v3.cnf 5 -.Sh CAVEATS -If a configuration file attempts to expand a variable that doesn't -exist, then an error is flagged and the file will not load. -This can also happen if an attempt is made to expand an environment -variable that doesn't exist. -For example, in a previous version of OpenSSL the default OpenSSL -master configuration file used the value of -.Ev HOME -which may not be defined on non Unix systems and would cause an error. -.Pp -This can be worked around by including a default section to provide -a default value: then if the environment lookup fails, the default -value will be used instead. -For this to work properly, the default value must be defined earlier -in the configuration file than the expansion. -See the -.Sx EXAMPLES -section for an example of how to do this. -.Pp -If the same variable is defined more than once in the same section, -then all but the last value will be silently ignored. -In certain circumstances such as with DNs, the same field may occur -multiple times. -This is usually worked around by ignoring any characters before an -initial -.Ql \&. , -for example: -.Bd -literal -offset indent -1.OU="My first OU" -2.OU="My Second OU" -.Ed -.Sh BUGS -Currently there is no way to include characters using the octal -.Pf \e Ar nnn -form. -Strings are all NUL terminated, so NUL bytes cannot form part of -the value. -.Pp -The escaping isn't quite right: if you want to use sequences like -.Ql \en , -you can't use any quote escaping on the same line. -.Pp -Files are loaded in a single pass. -This means that a variable expansion will only work if the variables -referenced are defined earlier in the file. diff -Naur a/openssl.cnf b/openssl.cnf --- a/openssl.cnf 2023-07-05 14:08:27.000000000 +0600 +++ b/openssl.cnf 1970-01-01 06:00:00.000000000 +0600 @@ -1,24 +0,0 @@ -[ req ] -#default_bits = 2048 -#default_md = sha256 -#default_keyfile = privkey.pem -distinguished_name = req_distinguished_name -attributes = req_attributes - -[ req_distinguished_name ] -countryName = Country Name (2 letter code) -countryName_min = 2 -countryName_max = 2 -stateOrProvinceName = State or Province Name (full name) -localityName = Locality Name (eg, city) -0.organizationName = Organization Name (eg, company) -organizationalUnitName = Organizational Unit Name (eg, section) -commonName = Common Name (eg, fully qualified host name) -commonName_max = 64 -emailAddress = Email Address -emailAddress_max = 64 - -[ req_attributes ] -challengePassword = A challenge password -challengePassword_min = 4 -challengePassword_max = 20