The interface of the "openssl genrsa" changed in Debian buster (10), and it doesn't accept "-config" or "-batch" any longer. It is not very clearly documented (or easy to find) how and when, because versions of 1.1.0 still work in the old way, but in 1.1.1 it doesn't. The new sub-command "genpkey" is supposed to supersede genrsa, but the output file is slightly different, genrsa having RSA in the BEGIN/END blocks, while genpkey not having info about the algorithm: -----BEGIN RSA PRIVATE KEY----- vs. -----BEGIN PRIVATE KEY----- This small change could bite us if we're parsing these files in some way, and I found comments complaining that some services do not like the "new" header if they are linked against older versions of openssl, so e.g. they (Exim in particular) fail to start. I found a way in which it works fine for both versions, by still using "genrsa" and passing the config file through an environment parameter, and removing -batch. After pondering about it for a bit, I prefer this solution to another one parsing the Debian release or openssl version and using one or other version accordingly, specially because of the lack of clarity of exactly when the versions had changed. The rest of the commands continue to accept -config and -batch, so in principle we do not need to change them, for the time being, but probably we will have to revisit them in the long run, specially if they keep breaking the interface without much of a fallback or clear warning. Change-Id: I495d8cccf120c5a2665d9843392fe580ec59f4bdchanges/30/23930/3
Manuel Montecelo
7 years ago
parent
6e1b17b26e
commit
8f9f92eb68
Loading…
Reference in new issue