From 182af7a40f055b6449bb16392a92dbadafd80f6b Mon Sep 17 00:00:00 2001 From: Manuel Montecelo Date: Mon, 1 Oct 2018 12:23:51 +0200 Subject: [PATCH] TT#44919 Change "openssl genrsa" so it works with buster and older releases The interface of the "openssl genrsa" changed in Debian buster (10), and it doesn't accept "-config" or "-batch" any longer. It is not very clearly documented (or easy to find) how and when, because versions of 1.1.0 still work in the old way, but in 1.1.1 it doesn't. The new sub-command "genpkey" is supposed to supersede genrsa, but the output file is slightly different, genrsa having RSA in the BEGIN/END blocks, while genpkey not having info about the algorithm: -----BEGIN RSA PRIVATE KEY----- vs. -----BEGIN PRIVATE KEY----- This small change could bite us if we're parsing these files in some way, and I found comments complaining that some services do not like the "new" header if they are linked against older versions of openssl, so e.g. they (Exim in particular) fail to start. I found a way in which it works fine for both versions, by still using "genrsa" and passing the config file through an environment parameter, and removing -batch. After pondering about it for a bit, I prefer this solution to another one parsing the Debian release or openssl version and using one or other version accordingly, specially because of the lack of clarity of exactly when the versions had changed. The rest of the commands continue to accept -config and -batch, so in principle we do not need to change them, for the time being, but probably we will have to revisit them in the long run, specially if they keep breaking the interface without much of a fallback or clear warning. Change-Id: I495d8cccf120c5a2665d9843392fe580ec59f4bd (cherry picked from commit 8f9f92eb68735b8efcb13afde68a265412c8c7c1) (cherry picked from commit 25302d185f3b146ee73231879f7753e68adb882c) --- tools/generate_ssl_keys.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/generate_ssl_keys.sh b/tools/generate_ssl_keys.sh index a7e388fda6..5f726da8f1 100755 --- a/tools/generate_ssl_keys.sh +++ b/tools/generate_ssl_keys.sh @@ -47,8 +47,8 @@ if [ "$SKIP_CSR" = "true" ] ; then -out "${CRT_FILE}" \ -nodes -batch else - /usr/bin/openssl genrsa -out "${KEY_FILE}" 4096 \ - -config "${OPENSSL_CONFIG}" -batch + OPENSSL_CONF="${OPENSSL_CONFIG}" /usr/bin/openssl genrsa \ + -out "${KEY_FILE}" 4096 /usr/bin/openssl req -new -out "${CSR_FILE}" \ -key "${KEY_FILE}" -config "${OPENSSL_CONFIG}" -batch /usr/bin/openssl x509 -days "${DAYS}" -req -in "${CSR_FILE}" \