Subject: bin/24458: openssl config parser (variable substitution) broken
To: None <>
From: Frank Kardel <>
List: netbsd-bugs
Date: 02/17/2004 15:43:18
>Number:         24458
>Category:       bin
>Synopsis:       openssl.cnf cannot correctly do variable substitution
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    bin-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Tue Feb 17 14:44:00 UTC 2004
>Originator:     Frank Kardel
>Release:        NetBSD 1.6ZK
System: NetBSD pip 1.6ZK NetBSD 1.6ZK (SYSPIP_ISDN) #1: Sun Feb 15 15:42:43 MET 2004 kardel@pip:/fs/IC35L120AVV207-0-e/src/NetBSD/netbsd/sys/arch/i386/compile/obj.i386/SYSPIP_ISDN i386
Architecture: i386
Machine: i386
	After upgrading my notbook to -current openssl couldn't
	correctly read private keys any more. openssl.cnf
	had lines like this:
	dir		= ${ENV::CA_ROOT}/userCA
	certname        = user-ca1
	private_key     = ${dir}/private/${certname}.key

	Before the upgrade this was correcly expanded.
	Now expansion stops with the p from private. When only
	one variable needs to be expanded things work. The
	second expansion seems to mess up.
	try using openssl ca with a configuration using the
	above pattern.

	1) check for errors in the config parser
	2) use only one substitution a workaround