[Pkg-openssl-devel] Bug#650332: -extensions XXX can be specified on command line and openssl will silently ignore it
xavier renaut
xavier.reportbug-debian..natch.2011.11.28.17.10.21 at pecos.8d.com
Mon Nov 28 22:17:55 UTC 2011
Package: openssl
Version: 1.0.0e-2
Severity: normal
when i try to build a CA,
if i use :
openssl x509 -req -extensions v3_ca -sha256 -days 7300 -in toto.csr -signkey toto.key -out toto.crt
openssl will not use the section v3_ca, and will happily output a wrongly generated cert.
and worse of all, not say anything about the not used section.
the right command was :
openssl x509 -req -extfile /etc/ssl/openssl.cnf -extensions v3_ca -sha256 -days 7300 -in toto.csr -signkey toto.key -out toto.crt
in the x509 manpage, in the -extfile section, it is specified that -extfile is mandatory.
however, I think that it should be told also in the -extensions section.
and more than that, it should print a warning "not using extension XXX, extfile not here"
thanks
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (900, 'testing'), (600, 'unstable'), (550, 'stable'), (449, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 3.0.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages openssl depends on:
ii libc6 2.13-21 Embedded GNU C Library: Shared lib
ii libssl1.0.0 1.0.0e-2 SSL shared libraries
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20090814+nmu2 Common CA certificates
-- Configuration Files:
/etc/ssl/openssl.cnf changed [not included]
-- no debconf information
More information about the Pkg-openssl-devel
mailing list