Re: port-amd64/60365 (LibreSSL/OpenSSL req missing config file)

[riastradh%NetBSD.org@localhost]

Synopsis: LibreSSL/OpenSSL req missing config file

State-Changed-From-To: open->analyzed
State-Changed-By: riastradh%NetBSD.org@localhost
State-Changed-When: Thu, 25 Jun 2026 01:20:24 +0000
State-Changed-Why:
I have mixed feelings about this.

On the one hand, it is nice to make a command line such as

openssl req -new -sha256 -key key -subj / -addext subjectAltName=DNS:example.com

like you'll find at <https://github.com/diafygi/acme-tiny> work out of
the box.  And since netbsd-10, openssl is happy with an empty
openssl.cnf to make this happen.  (In netbsd<=9, openssl required some
stuff in the config file, like a [req]distinguished_name setting
pointing to a section that provides various DN parameters.)

On the other hand, other systems like Debian ship what is really an
_example_ at /etc/ssl/openssl.cnf rather than a set of reasonable
_defaults_, so if you do try to use `openssl req' without your own
complete config file replacement, your certificate request will include
things like countryName=AU and ON=Internet Widgits Pty Ltd.  In other
words, you really _don't_ want to use the default shipped on other
systems.  And you can safely just use `-config /dev/null', which is the
portable way to do it.  In other words, by making this work on NetBSD,
we're encouraging foot-guns on other systems.

So I'm tempted to create an empty /etc/openssl/openssl.cnf (except for
some comments).  I'm not 100% convinced it's the right thing.  But it's
probably reasonable to do.

I have not looked into what other openssl commands require a config
file.  Maybe it would be better to just patch `openssl req' so that it
doesn't fail if the config file doesn't exist, since surely that's not
much different from having an empty config file.