[openssl-users] missing default /usr/local/ssl/openssl.cnf causes failure on AIX, warning on all others
Michael Wojcik
Michael.Wojcik at microfocus.com
Fri Jan 23 15:04:07 UTC 2015
> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Koehne Kai
> Sent: Friday, January 23, 2015 04:03
> To: openssl-users at openssl.org
> Subject: Re: [openssl-users] missing default /usr/local/ssl/openssl.cnf causes
> failure on AIX, warning on all others
>
> This reminds me of
> http://rt.openssl.org/Ticket/Display.html?id=2644&user=guest&pass=guest ,
> though it's in another code path ... Over time I met at least 4 other people
> who ran into exactly this issue on Windows, so if I'd have any votes to give to
> a bug report, it would be this one :)
This is an interesting one because the problem is clear - the openssl utility exits if it gets any error other than "file doesn't exist" trying to open its configuration file - but the solution is not.
Why not? Because the current behavior is failing-to-secure. The openssl utility doesn't know what's in the configuration file if it can't open it. There might be a security vulnerability if openssl can run without processing the configuration file. The existing logic allows for two cases: the configuration file is processed, and the configuration file doesn't exist (in which case we get a warning diagnostic but processing continues). Anything else is treated as a possible attack.
Now, we might point out that the user can simply override the name of the configuration file, as I suggested in an earlier message (and Dave confirmed bypasses the issue). But it's conceivable that openssl is being run in a script which sets the OPENSSL_CONF environment variable, so the user can't force the configuration file.
In my opinion, the risk here is small, and I'd favor expanding the conditions under which openssl emits the warning and continues, as bug 2644 suggests. But reasonable people could argue otherwise.
Probably someone who's particularly bothered by this should submit a patch.
--
Michael Wojcik
Technology Specialist, Micro Focus
This message has been scanned for malware by Websense. www.websense.com
More information about the openssl-users
mailing list