Richard Levitte - VMS Whacker wrote:
>
> From: [EMAIL PROTECTED] (Darren Reed)
>
> darrenr> It strikes me as somewhat peculiar that there is little support for
> darrenr> environment variables with the various libraries, in particular to
> darrenr> support debugging. For example, I was trying out the pkcs12 -chain
> darrenr> option, only to find it was insisting on using a certificate from
> darrenr> /usr/local/ssl/certs/cert.pem as well as another file which I did
> darrenr> not recognise. It turns out that this filename is actually a hash.
>
> Could you please show us the exact command? I've tried to reproduce
> what happened to you by guessing what you're trying to do, but I
> fail.
openssl pkcs12 -export -chain -in newcert.pem -inkey newreq.pem
-out new.p12
- this is without having setup /usr/local/ssl aside from having
openssl.cnf
installed. I have created ./demoCA because too many things
expect at least
that to be present (well, most notably, "openssl ca") and there
exist files
under there. To recreate the problem:
- setup a CA under ./demoCA (do not install anything into
/usr/local/ssl)
- create & sign a cert
- attempt to do the export command as above.
> darrenr> Anyway, to get around the first problem, I poked around the x509
> darrenr> source before coming across x509_def.c. It struck me as rather odd
> darrenr> that there were a bunch of pathnames in here that were otherwise
> darrenr> inaccessible. The patch below adds support for some environment
> darrenr> variables which override the compiled in defaults.
>
> I dunno about the others in the team, but I personally think a routine
> library should avoid poking around in environment, or even look at
> it. That's an application-level thing to do.
There are *many* instances of libraries using environment
variables
for direction. For example, under X windows, the first which
comes to
mind is XAPPLRESDIR, or in libc, TMPDIR, LD_PRELOAD,
LD_LIBRARY_PATH,
etc. The BIND resolver library also has environment variables
to
control things.
Given that all these paths are set at compile time, either space
is
made in openssl.cnf for them or they come from environment
variables.
Since they are so deeply nested inside the application, it is
unreasonable
to expect each app to provide the appropriate command line
switches to
alter them as required - hence using environment variables is
preferred.
Darren
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
