Re: bin/58108 (No OpenSSL configuration file in NetBSD install)

[riastradh%NetBSD.org@localhost]

Synopsis: No OpenSSL configuration file in NetBSD install

State-Changed-From-To: open->closed
State-Changed-By: riastradh%NetBSD.org@localhost
State-Changed-When: Wed, 03 Apr 2024 14:27:50 +0000
State-Changed-Why:
This isn't a bug -- the OpenSSL configuration file is highly
application-dependent, and not needed for most programs like ftp(1) or
curl(1) to function normally when calling OpenSSL to do TLS.

If we did ship a system-wide configuration file, there's a good chance
it would be _harmful_ for applications that don't expect it -- for
example, by configuring broken cipher suites which don't get updated on
system upgrades, it could destroy the security of programs that just
call OpenSSL to do TLS.

In the case of openssl req, the config file is where you put the
details of your certificate request.  You can see the openssl_req(1)
man page for details, or /usr/share/examples/openssl/openssl.cnf for an
example (which is very elaborate, much more than necessary for basic
use like generating a request for Let's Encrypt -- also it has the
`openssl ca' side of things too).  Note that a large chunk of this
configuration file is specifying details like the certificate request's
distinguishedName.

Here's a minimal openssl.conf for non-interactive `openssl req' where
you have to specify all the parameters on the command line:

[req]
        distinguished_name = req_distinguished_name
        prompt = no
[req_distinguished_name]

(The `req_distinguished_name' section is empty.)  This doesn't need to
be installed system-wide -- you can just write it to a file like
`myreq.conf' and use `openssl req -config myreq.conf'.