raven/base/libressl/libressl-rename-config-file.patch

diff -Naur a/apps/openssl/apps.c b/apps/openssl/apps.c
--- a/apps/openssl/apps.c	2024-09-25 09:30:06.000000000 +0600
+++ b/apps/openssl/apps.c	2025-01-09 22:24:46.419234126 +0600
@@ -1069,7 +1069,7 @@
 	const char *t = X509_get_default_cert_area();
 	char *p;
 
-	if (asprintf(&p, "%s/openssl.cnf", t) == -1)
+	if (asprintf(&p, "%s/libressl.cnf", t) == -1)
 		return NULL;
 	return p;
 }
diff -Naur a/CMakeLists.txt b/CMakeLists.txt
--- a/CMakeLists.txt	2024-10-08 16:16:19.000000000 +0600
+++ b/CMakeLists.txt	2025-01-09 22:34:00.078411167 +0600
@@ -531,7 +531,7 @@
 			DESTINATION ${CMAKE_INSTALL_LIBDIR})
 	endif()
 
-	install(FILES cert.pem openssl.cnf x509v3.cnf DESTINATION ${CONF_DIR})
+	install(FILES cert.pem libressl.cnf x509v3.cnf DESTINATION ${CONF_DIR})
 	install(DIRECTORY DESTINATION ${CONF_DIR}/certs)
 
  	if(NOT TARGET uninstall)
diff -Naur a/crypto/conf/conf_mod.c b/crypto/conf/conf_mod.c
--- a/crypto/conf/conf_mod.c	2024-09-25 09:30:06.000000000 +0600
+++ b/crypto/conf/conf_mod.c	2025-01-09 22:22:06.849337107 +0600
@@ -485,7 +485,7 @@
 {
 	char *file = NULL;
 
-	if (asprintf(&file, "%s/openssl.cnf",
+	if (asprintf(&file, "%s/libressl.cnf",
 	    X509_get_default_cert_area()) == -1)
 		return (NULL);
 	return file;
diff -Naur a/libressl.cnf b/libressl.cnf
--- a/libressl.cnf	1970-01-01 06:00:00.000000000 +0600
+++ b/libressl.cnf	2023-07-05 14:08:27.000000000 +0600
@@ -0,0 +1,24 @@
+[ req ]
+#default_bits		= 2048
+#default_md		= sha256
+#default_keyfile 	= privkey.pem
+distinguished_name	= req_distinguished_name
+attributes		= req_attributes
+
+[ req_distinguished_name ]
+countryName			= Country Name (2 letter code)
+countryName_min			= 2
+countryName_max			= 2
+stateOrProvinceName		= State or Province Name (full name)
+localityName			= Locality Name (eg, city)
+0.organizationName		= Organization Name (eg, company)
+organizationalUnitName		= Organizational Unit Name (eg, section)
+commonName			= Common Name (eg, fully qualified host name)
+commonName_max			= 64
+emailAddress			= Email Address
+emailAddress_max		= 64
+
+[ req_attributes ]
+challengePassword		= A challenge password
+challengePassword_min		= 4
+challengePassword_max		= 20
diff -Naur a/Makefile.am b/Makefile.am
--- a/Makefile.am	2024-05-28 19:25:41.000000000 +0600
+++ b/Makefile.am	2025-01-09 22:23:13.342877490 +0600
@@ -12,7 +12,7 @@
 
 EXTRA_DIST = README.md README.mingw.md VERSION config scripts
 EXTRA_DIST += CMakeLists.txt cmake_export_symbol.cmake cmake_uninstall.cmake.in FindLibreSSL.cmake LibreSSLConfig.cmake.in
-EXTRA_DIST += cert.pem openssl.cnf x509v3.cnf
+EXTRA_DIST += cert.pem libressl.cnf x509v3.cnf
 
 .PHONY: install_sw
 install_sw: install
@@ -24,7 +24,7 @@
 		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
 	fi; \
 	mkdir -p "$$OPENSSLDIR/certs"; \
-	for i in cert.pem openssl.cnf x509v3.cnf; do \
+	for i in cert.pem libressl.cnf x509v3.cnf; do \
 		if [ ! -f "$$OPENSSLDIR/$i" ]; then \
 			$(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \
 		else \
@@ -38,7 +38,7 @@
 	else \
 		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
 	fi; \
-	for i in cert.pem openssl.cnf x509v3.cnf; do \
+	for i in cert.pem libressl.cnf x509v3.cnf; do \
 		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
 			rm -f "$$OPENSSLDIR/$$i"; \
 		fi \
diff -Naur a/Makefile.in b/Makefile.in
--- a/Makefile.in	2024-10-14 10:53:04.000000000 +0600
+++ b/Makefile.in	2025-01-09 22:25:23.906975003 +0600
@@ -374,7 +374,7 @@
 EXTRA_DIST = README.md README.mingw.md VERSION config scripts \
 	CMakeLists.txt cmake_export_symbol.cmake \
 	cmake_uninstall.cmake.in FindLibreSSL.cmake \
-	LibreSSLConfig.cmake.in cert.pem openssl.cnf x509v3.cnf
+	LibreSSLConfig.cmake.in cert.pem libressl.cnf x509v3.cnf
 all: all-recursive
 
 .SUFFIXES:
@@ -895,7 +895,7 @@
 		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
 	fi; \
 	mkdir -p "$$OPENSSLDIR/certs"; \
-	for i in cert.pem openssl.cnf x509v3.cnf; do \
+	for i in cert.pem libressl.cnf x509v3.cnf; do \
 		if [ ! -f "$$OPENSSLDIR/$i" ]; then \
 			$(INSTALL) -m 644 "$(srcdir)/$$i" "$$OPENSSLDIR/$$i"; \
 		else \
@@ -909,7 +909,7 @@
 	else \
 		OPENSSLDIR="$(DESTDIR)$(sysconfdir)/ssl"; \
 	fi; \
-	for i in cert.pem openssl.cnf x509v3.cnf; do \
+	for i in cert.pem libressl.cnf x509v3.cnf; do \
 		if cmp -s "$$OPENSSLDIR/$$i" "$(srcdir)/$$i"; then \
 			rm -f "$$OPENSSLDIR/$$i"; \
 		fi \
diff -Naur a/man/libressl.cnf.5 b/man/libressl.cnf.5
--- a/man/libressl.cnf.5	1970-01-01 06:00:00.000000000 +0600
+++ b/man/libressl.cnf.5	2025-01-09 22:33:23.437663998 +0600
@@ -0,0 +1,361 @@
+.\" $OpenBSD: openssl.cnf.5,v 1.11 2024/07/08 15:02:28 jmc Exp $
+.\" full merge up to: OpenSSL man5/config b53338cb Feb 28 12:30:28 2017 +0100
+.\" selective merge up to: OpenSSL a8c5ed81 Jul 18 13:57:25 2017 -0400
+.\"
+.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
+.\" Copyright (c) 1999, 2000, 2004, 2013, 2015, 2016, 2017 The OpenSSL Project.
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\"    notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\"    notice, this list of conditions and the following disclaimer in
+.\"    the documentation and/or other materials provided with the
+.\"    distribution.
+.\"
+.\" 3. All advertising materials mentioning features or use of this
+.\"    software must display the following acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+.\"
+.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+.\"    endorse or promote products derived from this software without
+.\"    prior written permission. For written permission, please contact
+.\"    openssl-core@openssl.org.
+.\"
+.\" 5. Products derived from this software may not be called "OpenSSL"
+.\"    nor may "OpenSSL" appear in their names without prior written
+.\"    permission of the OpenSSL Project.
+.\"
+.\" 6. Redistributions of any form whatsoever must retain the following
+.\"    acknowledgment:
+.\"    "This product includes software developed by the OpenSSL Project
+.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+.\" OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd $Mdocdate: July 8 2024 $
+.Dt OPENSSL.CNF 5
+.Os
+.Sh NAME
+.Nm libressl.cnf
+.Nd OpenSSL configuration files
+.Sh DESCRIPTION
+The OpenSSL CONF library can be used to read configuration files; see
+.Xr CONF_modules_load_file 3 .
+It is used for the OpenSSL master configuration file
+.Pa /etc/pki/tls/libressl.cnf
+and in a few other places such as certificate extension files for the
+.Xr openssl 1
+.Cm x509
+utility.
+OpenSSL applications can also use the CONF library for their own
+purposes.
+.Pp
+A configuration file is divided into a number of sections.
+Each section starts with a line
+.Bq Ar section_name
+and ends when a new section is started or the end of the file is reached.
+A section name can consist of alphanumeric characters and underscores.
+.Pp
+The first section of a configuration file is special and is referred to
+as the
+.Dq default section .
+It is usually unnamed and extends from the start of file to the
+first named section.
+When a name is being looked up, it is first looked up in a named
+section (if any) and then in the default section.
+.Pp
+The environment is mapped onto a section called
+.Ic ENV .
+.Pp
+Comments can be included by preceding them with the
+.Ql #
+character.
+.Pp
+Each section in a configuration file consists of a number of name and
+value pairs of the form
+.Ar name Ns = Ns Ar value .
+.Pp
+The
+.Ar name
+string can contain any alphanumeric characters as well as a few
+punctuation symbols such as
+.Ql \&.
+.Ql \&,
+.Ql \&;
+and
+.Ql _ .
+.Pp
+The
+.Ar value
+string consists of the string following the
+.Ql =
+character until the end of the line with any leading and trailing
+whitespace removed.
+.Pp
+The value string undergoes variable expansion.
+This can be done by including substrings of the form
+.Pf $ Ar name
+or
+.Pf $ Brq Ar name :
+this will substitute the value of the named variable in the current
+section.
+It is also possible to substitute a value from another section using the
+syntax
+.Pf $ Ar section Ns :: Ns Ar name
+or
+.Pf $ Brq Ar section Ns :: Ns Ar name .
+By using the form
+.Pf $ Ic ENV Ns :: Ns Ar name ,
+environment variables can be substituted.
+It is also possible to assign values to environment variables by using
+the name
+.Ic ENV Ns :: Ns Ar name .
+This will work if the program looks up environment variables using
+the CONF library instead of calling
+.Xr getenv 3
+directly.
+The value string must not exceed 64k in length after variable expansion or an
+error will occur.
+.Pp
+It is possible to escape certain characters by using any kind of quote
+or the
+.Ql \e
+character.
+By making the last character of a line a
+.Ql \e ,
+a
+.Ar value
+string can be spread across multiple lines.
+In addition the sequences
+.Ql \en ,
+.Ql \er ,
+.Ql \eb ,
+and
+.Ql \et
+are recognized.
+.Sh OPENSSL LIBRARY CONFIGURATION
+Applications can automatically configure certain aspects of OpenSSL
+using the master OpenSSL configuration file, or optionally an
+alternative configuration file.
+The
+.Xr openssl 1
+utility includes this functionality: any sub command uses the master
+OpenSSL configuration file unless an option is used in the sub command
+to use an alternative configuration file.
+.Pp
+To enable library configuration, the default section needs to contain
+an appropriate line which points to the main configuration section.
+The default name is
+.Ic openssl_conf ,
+which is used by the
+.Xr openssl 1
+utility.
+Other applications may use an alternative name such as
+.Sy myapplication_conf .
+All library configuration lines appear in the default section
+at the start of the configuration file.
+.Pp
+The configuration section should consist of a set of name value pairs
+which contain specific module configuration information.
+The
+.Ar name
+represents the name of the configuration module.
+The meaning of the
+.Ar value
+is module specific: it may, for example, represent a further
+configuration section containing configuration module specific
+information.
+For example:
+.Bd -literal -offset indent
+# The following line must be in the default section.
+openssl_conf = openssl_init
+
+[openssl_init]
+oid_section = new_oids
+
+[new_oids]
+\&... new oids here ...
+.Ed
+.Pp
+The features of each configuration module are described below.
+.Ss ASN1 Object Configuration Module
+This module has the name
+.Ic oid_section .
+The value of this variable points to a section containing name value
+pairs of OIDs: the name is the OID short and long name, and the value is the
+numerical form of the OID.
+Although some of the
+.Xr openssl 1
+utility subcommands already have their own ASN1 OBJECT section
+functionality, not all do.
+By using the ASN1 OBJECT configuration module, all the
+.Xr openssl 1
+utility subcommands can see the new objects as well as any compliant
+applications.
+For example:
+.Bd -literal -offset indent
+[new_oids]
+some_new_oid = 1.2.3.4
+some_other_oid = 1.2.3.5
+.Ed
+.Pp
+It is also possible to set the value to the long name followed by a
+comma and the numerical OID form.
+For example:
+.Pp
+.Dl shortName = some object long name, 1.2.3.4
+.Sh FILES
+.Bl -tag -width /etc/pki/tls/libressl.cnf -compact
+.It Pa /etc/pki/tls/libressl.cnf
+standard configuration file
+.El
+.Sh EXAMPLES
+Here is a sample configuration file using some of the features
+mentioned above:
+.Bd -literal -offset indent
+# This is the default section.
+HOME=/temp
+RANDFILE= ${ENV::HOME}/.rnd
+configdir=$ENV::HOME/config
+
+[ section_one ]
+# We are now in section one.
+
+# Quotes permit leading and trailing whitespace
+any = " any variable name "
+
+other = A string that can \e
+cover several lines \e
+by including \e\e characters
+
+message = Hello World\en
+
+[ section_two ]
+greeting = $section_one::message
+.Ed
+.Pp
+This next example shows how to expand environment variables safely.
+.Pp
+Suppose you want a variable called
+.Sy tmpfile
+to refer to a temporary filename.
+The directory it is placed in can determined by the
+.Ev TEMP
+or
+.Ev TMP
+environment variables but they may not be set to any value at all.
+If you just include the environment variable names and the variable
+doesn't exist then this will cause an error when an attempt is made to
+load the configuration file.
+By making use of the default section both values can be looked up with
+.Ev TEMP
+taking priority and
+.Pa /tmp
+used if neither is defined:
+.Bd -literal -offset indent
+TMP=/tmp
+# The above value is used if TMP isn't in the environment
+TEMP=$ENV::TMP
+# The above value is used if TEMP isn't in the environment
+tmpfile=${ENV::TEMP}/tmp.filename
+.Ed
+.Pp
+More complex OpenSSL library configuration.
+Add OID:
+.Bd -literal -offset indent
+# Default appname: should match "appname" parameter (if any)
+# supplied to CONF_modules_load_file et al.
+openssl_conf = openssl_conf_section
+
+[openssl_conf_section]
+# Configuration module list
+oid_section = new_oids
+
+[new_oids]
+# New OID, just short name
+newoid1 = 1.2.3.4.1
+# New OID shortname and long name
+newoid2 = New OID 2 long name, 1.2.3.4.2
+.Ed
+.Pp
+The above examples can be used with any application supporting library
+configuration if "openssl_conf" is modified to match the appropriate
+"appname".
+.Pp
+For example if the second sample file above is saved to "example.cnf"
+then the command line:
+.Pp
+.Dl OPENSSL_CONF=example.cnf openssl asn1parse -genstr OID:1.2.3.4.1
+.Pp
+will output:
+.Dl 0:d=0  hl=2 l=   4 prim: OBJECT            :newoid1
+.Pp
+showing that the OID "newoid1" has been added as "1.2.3.4.1".
+.Sh SEE ALSO
+.Xr openssl 1 ,
+.Xr CONF_modules_load_file 3 ,
+.Xr OPENSSL_config 3 ,
+.Xr x509v3.cnf 5
+.Sh CAVEATS
+If a configuration file attempts to expand a variable that doesn't
+exist, then an error is flagged and the file will not load.
+This can also happen if an attempt is made to expand an environment
+variable that doesn't exist.
+For example, in a previous version of OpenSSL the default OpenSSL
+master configuration file used the value of
+.Ev HOME
+which may not be defined on non Unix systems and would cause an error.
+.Pp
+This can be worked around by including a default section to provide
+a default value: then if the environment lookup fails, the default
+value will be used instead.
+For this to work properly, the default value must be defined earlier
+in the configuration file than the expansion.
+See the
+.Sx EXAMPLES
+section for an example of how to do this.
+.Pp
+If the same variable is defined more than once in the same section,
+then all but the last value will be silently ignored.
+In certain circumstances such as with DNs, the same field may occur
+multiple times.
+This is usually worked around by ignoring any characters before an
+initial
+.Ql \&. ,
+for example:
+.Bd -literal -offset indent
+1.OU="My first OU"
+2.OU="My Second OU"
+.Ed
+.Sh BUGS
+Currently there is no way to include characters using the octal
+.Pf \e Ar nnn
+form.
+Strings are all NUL terminated, so NUL bytes cannot form part of
+the value.
+.Pp
+The escaping isn't quite right: if you want to use sequences like
+.Ql \en ,
+you can't use any quote escaping on the same line.
+.Pp
+Files are loaded in a single pass.
+This means that a variable expansion will only work if the variables
+referenced are defined earlier in the file.
diff -Naur a/man/Makefile.am b/man/Makefile.am
--- a/man/Makefile.am	2024-10-14 10:52:54.000000000 +0600
+++ b/man/Makefile.am	2025-01-09 22:30:29.135866729 +0600
@@ -561,7 +561,7 @@
 dist_man3_MANS += tls_load_file.3
 dist_man3_MANS += tls_ocsp_process_response.3
 dist_man3_MANS += tls_read.3
-dist_man5_MANS += openssl.cnf.5
+dist_man5_MANS += libressl.cnf.5
 dist_man5_MANS += x509v3.cnf.5
 install-data-hook:
 	ln -sf "ACCESS_DESCRIPTION_new.3" "$(DESTDIR)$(mandir)/man3/ACCESS_DESCRIPTION_free.3"
diff -Naur a/man/Makefile.in b/man/Makefile.in
--- a/man/Makefile.in	2024-10-14 10:53:07.000000000 +0600
+++ b/man/Makefile.in	2025-01-09 22:30:39.821792993 +0600
@@ -686,7 +686,7 @@
 @ENABLE_LIBTLS_ONLY_FALSE@	tls_init.3 tls_load_file.3 \
 @ENABLE_LIBTLS_ONLY_FALSE@	tls_ocsp_process_response.3 \
 @ENABLE_LIBTLS_ONLY_FALSE@	tls_read.3
-@ENABLE_LIBTLS_ONLY_FALSE@dist_man5_MANS = openssl.cnf.5 x509v3.cnf.5
+@ENABLE_LIBTLS_ONLY_FALSE@dist_man5_MANS = libressl.cnf.5 x509v3.cnf.5
 all: all-am
 
 .SUFFIXES:
diff -Naur a/man/openssl.cnf.5 b/man/openssl.cnf.5
--- a/man/openssl.cnf.5	2024-09-25 09:30:06.000000000 +0600
+++ b/man/openssl.cnf.5	1970-01-01 06:00:00.000000000 +0600
@@ -1,361 +0,0 @@
-.\" $OpenBSD: openssl.cnf.5,v 1.11 2024/07/08 15:02:28 jmc Exp $
-.\" full merge up to: OpenSSL man5/config b53338cb Feb 28 12:30:28 2017 +0100
-.\" selective merge up to: OpenSSL a8c5ed81 Jul 18 13:57:25 2017 -0400
-.\"
-.\" This file was written by Dr. Stephen Henson <steve@openssl.org>.
-.\" Copyright (c) 1999, 2000, 2004, 2013, 2015, 2016, 2017 The OpenSSL Project.
-.\" All rights reserved.
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions
-.\" are met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\"    notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\"    notice, this list of conditions and the following disclaimer in
-.\"    the documentation and/or other materials provided with the
-.\"    distribution.
-.\"
-.\" 3. All advertising materials mentioning features or use of this
-.\"    software must display the following acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
-.\"
-.\" 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
-.\"    endorse or promote products derived from this software without
-.\"    prior written permission. For written permission, please contact
-.\"    openssl-core@openssl.org.
-.\"
-.\" 5. Products derived from this software may not be called "OpenSSL"
-.\"    nor may "OpenSSL" appear in their names without prior written
-.\"    permission of the OpenSSL Project.
-.\"
-.\" 6. Redistributions of any form whatsoever must retain the following
-.\"    acknowledgment:
-.\"    "This product includes software developed by the OpenSSL Project
-.\"    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
-.\" EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-.\" PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
-.\" ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-.\" NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
-.\" STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
-.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
-.\" OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.Dd $Mdocdate: July 8 2024 $
-.Dt OPENSSL.CNF 5
-.Os
-.Sh NAME
-.Nm openssl.cnf
-.Nd OpenSSL configuration files
-.Sh DESCRIPTION
-The OpenSSL CONF library can be used to read configuration files; see
-.Xr CONF_modules_load_file 3 .
-It is used for the OpenSSL master configuration file
-.Pa /etc/ssl/openssl.cnf
-and in a few other places such as certificate extension files for the
-.Xr openssl 1
-.Cm x509
-utility.
-OpenSSL applications can also use the CONF library for their own
-purposes.
-.Pp
-A configuration file is divided into a number of sections.
-Each section starts with a line
-.Bq Ar section_name
-and ends when a new section is started or the end of the file is reached.
-A section name can consist of alphanumeric characters and underscores.
-.Pp
-The first section of a configuration file is special and is referred to
-as the
-.Dq default section .
-It is usually unnamed and extends from the start of file to the
-first named section.
-When a name is being looked up, it is first looked up in a named
-section (if any) and then in the default section.
-.Pp
-The environment is mapped onto a section called
-.Ic ENV .
-.Pp
-Comments can be included by preceding them with the
-.Ql #
-character.
-.Pp
-Each section in a configuration file consists of a number of name and
-value pairs of the form
-.Ar name Ns = Ns Ar value .
-.Pp
-The
-.Ar name
-string can contain any alphanumeric characters as well as a few
-punctuation symbols such as
-.Ql \&.
-.Ql \&,
-.Ql \&;
-and
-.Ql _ .
-.Pp
-The
-.Ar value
-string consists of the string following the
-.Ql =
-character until the end of the line with any leading and trailing
-whitespace removed.
-.Pp
-The value string undergoes variable expansion.
-This can be done by including substrings of the form
-.Pf $ Ar name
-or
-.Pf $ Brq Ar name :
-this will substitute the value of the named variable in the current
-section.
-It is also possible to substitute a value from another section using the
-syntax
-.Pf $ Ar section Ns :: Ns Ar name
-or
-.Pf $ Brq Ar section Ns :: Ns Ar name .
-By using the form
-.Pf $ Ic ENV Ns :: Ns Ar name ,
-environment variables can be substituted.
-It is also possible to assign values to environment variables by using
-the name
-.Ic ENV Ns :: Ns Ar name .
-This will work if the program looks up environment variables using
-the CONF library instead of calling
-.Xr getenv 3
-directly.
-The value string must not exceed 64k in length after variable expansion or an
-error will occur.
-.Pp
-It is possible to escape certain characters by using any kind of quote
-or the
-.Ql \e
-character.
-By making the last character of a line a
-.Ql \e ,
-a
-.Ar value
-string can be spread across multiple lines.
-In addition the sequences
-.Ql \en ,
-.Ql \er ,
-.Ql \eb ,
-and
-.Ql \et
-are recognized.
-.Sh OPENSSL LIBRARY CONFIGURATION
-Applications can automatically configure certain aspects of OpenSSL
-using the master OpenSSL configuration file, or optionally an
-alternative configuration file.
-The
-.Xr openssl 1
-utility includes this functionality: any sub command uses the master
-OpenSSL configuration file unless an option is used in the sub command
-to use an alternative configuration file.
-.Pp
-To enable library configuration, the default section needs to contain
-an appropriate line which points to the main configuration section.
-The default name is
-.Ic openssl_conf ,
-which is used by the
-.Xr openssl 1
-utility.
-Other applications may use an alternative name such as
-.Sy myapplication_conf .
-All library configuration lines appear in the default section
-at the start of the configuration file.
-.Pp
-The configuration section should consist of a set of name value pairs
-which contain specific module configuration information.
-The
-.Ar name
-represents the name of the configuration module.
-The meaning of the
-.Ar value
-is module specific: it may, for example, represent a further
-configuration section containing configuration module specific
-information.
-For example:
-.Bd -literal -offset indent
-# The following line must be in the default section.
-openssl_conf = openssl_init
-
-[openssl_init]
-oid_section = new_oids
-
-[new_oids]
-\&... new oids here ...
-.Ed
-.Pp
-The features of each configuration module are described below.
-.Ss ASN1 Object Configuration Module
-This module has the name
-.Ic oid_section .
-The value of this variable points to a section containing name value
-pairs of OIDs: the name is the OID short and long name, and the value is the
-numerical form of the OID.
-Although some of the
-.Xr openssl 1
-utility subcommands already have their own ASN1 OBJECT section
-functionality, not all do.
-By using the ASN1 OBJECT configuration module, all the
-.Xr openssl 1
-utility subcommands can see the new objects as well as any compliant
-applications.
-For example:
-.Bd -literal -offset indent
-[new_oids]
-some_new_oid = 1.2.3.4
-some_other_oid = 1.2.3.5
-.Ed
-.Pp
-It is also possible to set the value to the long name followed by a
-comma and the numerical OID form.
-For example:
-.Pp
-.Dl shortName = some object long name, 1.2.3.4
-.Sh FILES
-.Bl -tag -width /etc/ssl/openssl.cnf -compact
-.It Pa /etc/ssl/openssl.cnf
-standard configuration file
-.El
-.Sh EXAMPLES
-Here is a sample configuration file using some of the features
-mentioned above:
-.Bd -literal -offset indent
-# This is the default section.
-HOME=/temp
-RANDFILE= ${ENV::HOME}/.rnd
-configdir=$ENV::HOME/config
-
-[ section_one ]
-# We are now in section one.
-
-# Quotes permit leading and trailing whitespace
-any = " any variable name "
-
-other = A string that can \e
-cover several lines \e
-by including \e\e characters
-
-message = Hello World\en
-
-[ section_two ]
-greeting = $section_one::message
-.Ed
-.Pp
-This next example shows how to expand environment variables safely.
-.Pp
-Suppose you want a variable called
-.Sy tmpfile
-to refer to a temporary filename.
-The directory it is placed in can determined by the
-.Ev TEMP
-or
-.Ev TMP
-environment variables but they may not be set to any value at all.
-If you just include the environment variable names and the variable
-doesn't exist then this will cause an error when an attempt is made to
-load the configuration file.
-By making use of the default section both values can be looked up with
-.Ev TEMP
-taking priority and
-.Pa /tmp
-used if neither is defined:
-.Bd -literal -offset indent
-TMP=/tmp
-# The above value is used if TMP isn't in the environment
-TEMP=$ENV::TMP
-# The above value is used if TEMP isn't in the environment
-tmpfile=${ENV::TEMP}/tmp.filename
-.Ed
-.Pp
-More complex OpenSSL library configuration.
-Add OID:
-.Bd -literal -offset indent
-# Default appname: should match "appname" parameter (if any)
-# supplied to CONF_modules_load_file et al.
-openssl_conf = openssl_conf_section
-
-[openssl_conf_section]
-# Configuration module list
-oid_section = new_oids
-
-[new_oids]
-# New OID, just short name
-newoid1 = 1.2.3.4.1
-# New OID shortname and long name
-newoid2 = New OID 2 long name, 1.2.3.4.2
-.Ed
-.Pp
-The above examples can be used with any application supporting library
-configuration if "openssl_conf" is modified to match the appropriate
-"appname".
-.Pp
-For example if the second sample file above is saved to "example.cnf"
-then the command line:
-.Pp
-.Dl OPENSSL_CONF=example.cnf openssl asn1parse -genstr OID:1.2.3.4.1
-.Pp
-will output:
-.Dl 0:d=0  hl=2 l=   4 prim: OBJECT            :newoid1
-.Pp
-showing that the OID "newoid1" has been added as "1.2.3.4.1".
-.Sh SEE ALSO
-.Xr openssl 1 ,
-.Xr CONF_modules_load_file 3 ,
-.Xr OPENSSL_config 3 ,
-.Xr x509v3.cnf 5
-.Sh CAVEATS
-If a configuration file attempts to expand a variable that doesn't
-exist, then an error is flagged and the file will not load.
-This can also happen if an attempt is made to expand an environment
-variable that doesn't exist.
-For example, in a previous version of OpenSSL the default OpenSSL
-master configuration file used the value of
-.Ev HOME
-which may not be defined on non Unix systems and would cause an error.
-.Pp
-This can be worked around by including a default section to provide
-a default value: then if the environment lookup fails, the default
-value will be used instead.
-For this to work properly, the default value must be defined earlier
-in the configuration file than the expansion.
-See the
-.Sx EXAMPLES
-section for an example of how to do this.
-.Pp
-If the same variable is defined more than once in the same section,
-then all but the last value will be silently ignored.
-In certain circumstances such as with DNs, the same field may occur
-multiple times.
-This is usually worked around by ignoring any characters before an
-initial
-.Ql \&. ,
-for example:
-.Bd -literal -offset indent
-1.OU="My first OU"
-2.OU="My Second OU"
-.Ed
-.Sh BUGS
-Currently there is no way to include characters using the octal
-.Pf \e Ar nnn
-form.
-Strings are all NUL terminated, so NUL bytes cannot form part of
-the value.
-.Pp
-The escaping isn't quite right: if you want to use sequences like
-.Ql \en ,
-you can't use any quote escaping on the same line.
-.Pp
-Files are loaded in a single pass.
-This means that a variable expansion will only work if the variables
-referenced are defined earlier in the file.
diff -Naur a/openssl.cnf b/openssl.cnf
--- a/openssl.cnf	2023-07-05 14:08:27.000000000 +0600
+++ b/openssl.cnf	1970-01-01 06:00:00.000000000 +0600
@@ -1,24 +0,0 @@
-[ req ]
-#default_bits		= 2048
-#default_md		= sha256
-#default_keyfile 	= privkey.pem
-distinguished_name	= req_distinguished_name
-attributes		= req_attributes
-
-[ req_distinguished_name ]
-countryName			= Country Name (2 letter code)
-countryName_min			= 2
-countryName_max			= 2
-stateOrProvinceName		= State or Province Name (full name)
-localityName			= Locality Name (eg, city)
-0.organizationName		= Organization Name (eg, company)
-organizationalUnitName		= Organizational Unit Name (eg, section)
-commonName			= Common Name (eg, fully qualified host name)
-commonName_max			= 64
-emailAddress			= Email Address
-emailAddress_max		= 64
-
-[ req_attributes ]
-challengePassword		= A challenge password
-challengePassword_min		= 4
-challengePassword_max		= 20