From: Pauli Date: Wed, 28 Jul 2021 23:55:09 +0000 (+1000) Subject: Add config_diagnostics to our configuration files. X-Git-Tag: openssl-3.0.0~168 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=92c03668c0cd77434006b613e3429888a0a8ecfe;p=thirdparty%2Fopenssl.git Add config_diagnostics to our configuration files. The change to a more configuration based approach to enable FIPS mode operation highlights a shortcoming in the default should do something approach we've taken for bad configuration files. Currently, a bad configuration file will be automatically loaded and once the badness is detected, it will silently stop processing the configuration and continue normal operations. This is good for remote servers, allowing changes to be made without bricking things. It's bad when a user thinks they've configured what they want but got something wrong and it still appears to work. Reviewed-by: Dmitry Belyavskiy (Merged from https://github.com/openssl/openssl/pull/16171) --- diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf index f18e63c3518..4d96a1f32d2 100644 --- a/apps/openssl-vms.cnf +++ b/apps/openssl-vms.cnf @@ -16,8 +16,7 @@ HOME = . # Use this in order to automatically load providers. openssl_conf = openssl_init -# Comment this out if you deliberately want to ignore -# configuration errors +# Comment out the next line to ignore configuration errors config_diagnostics = 1 # Extra OBJECT IDENTIFIER info: diff --git a/apps/openssl.cnf b/apps/openssl.cnf index 97567a67be6..ffb424a871c 100644 --- a/apps/openssl.cnf +++ b/apps/openssl.cnf @@ -16,8 +16,7 @@ HOME = . # Use this in order to automatically load providers. openssl_conf = openssl_init -# Comment this out if you deliberately want to ignore -# configuration errors +# Comment out the next line to ignore configuration errors config_diagnostics = 1 # Extra OBJECT IDENTIFIER info: diff --git a/demos/bio/accept.cnf b/demos/bio/accept.cnf index cb0cefba753..ce36678ee9c 100644 --- a/demos/bio/accept.cnf +++ b/demos/bio/accept.cnf @@ -1,10 +1,16 @@ # Example configuration file + +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + # Port to listen on Port = 4433 + # Disable TLS v1.2 for test. # Protocol = ALL, -TLSv1.2 # Only support 3 curves Curves = P-521:P-384:P-256 + # Restricted signature algorithms SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512 Certificate=server.pem diff --git a/demos/bio/cmod.cnf b/demos/bio/cmod.cnf index 39ac54edd9b..df514dba790 100644 --- a/demos/bio/cmod.cnf +++ b/demos/bio/cmod.cnf @@ -4,6 +4,9 @@ # and section containing configuration testapp = test_sect +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + [test_sect] # list of configuration modules diff --git a/demos/bio/connect.cnf b/demos/bio/connect.cnf index ab764403a47..0049a77b2d6 100644 --- a/demos/bio/connect.cnf +++ b/demos/bio/connect.cnf @@ -1,9 +1,15 @@ # Example configuration file + +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + # Connects to the default port of s_server Connect = localhost:4433 + # Disable TLS v1.2 for test. # Protocol = ALL, -TLSv1.2 # Only support 3 curves Curves = P-521:P-384:P-256 + # Restricted signature algorithms SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512 diff --git a/demos/certs/apps/apps.cnf b/demos/certs/apps/apps.cnf index 07a3d10b551..72ed70de758 100644 --- a/demos/certs/apps/apps.cnf +++ b/demos/certs/apps/apps.cnf @@ -7,6 +7,10 @@ HOME = . CN = "Not Defined" +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + + #################################################################### [ req ] default_bits = 2048 diff --git a/demos/certs/ca.cnf b/demos/certs/ca.cnf index 2fbf20490b7..e0c73c4eefe 100644 --- a/demos/certs/ca.cnf +++ b/demos/certs/ca.cnf @@ -8,6 +8,9 @@ HOME = . CN = "Not Defined" default_ca = ca +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + #################################################################### [ req ] default_bits = 1024 diff --git a/test/CAtsa.cnf b/test/CAtsa.cnf index e232e7023ef..50f68cbc196 100644 --- a/test/CAtsa.cnf +++ b/test/CAtsa.cnf @@ -3,6 +3,9 @@ # This config is used by the Time Stamp Authority tests. # +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + # Extra OBJECT IDENTIFIER info: oid_section = new_oids diff --git a/test/ca-and-certs.cnf b/test/ca-and-certs.cnf index f6663924ae0..463b49954c6 100644 --- a/test/ca-and-certs.cnf +++ b/test/ca-and-certs.cnf @@ -1,4 +1,7 @@ +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + CN2 = Brother 2 #################################################################### diff --git a/test/ct/log_list.cnf b/test/ct/log_list.cnf index 4b68e535580..b723b8c9f69 100644 --- a/test/ct/log_list.cnf +++ b/test/ct/log_list.cnf @@ -1,5 +1,8 @@ enabled_logs=test,pilot,aviator,rocketeer,digicert,certly,izempe,symantec,venafi +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + [test] description = https://github.com/google/certificate-transparency/tree/99218b6445906a81f219d84e9c6d2683e13e4e58/test/testdata key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmXg8sUUzwBYaWrRb+V0IopzQ6o3UyEJ04r5ZrRXGdpYM8K+hB0pXrGRLI0eeWz+3skXrS0IO83AhA3GpRL6s6w== diff --git a/test/default-and-fips.cnf b/test/default-and-fips.cnf index 7a4d765591c..2ca6487fd2f 100644 --- a/test/default-and-fips.cnf +++ b/test/default-and-fips.cnf @@ -1,5 +1,8 @@ openssl_conf = openssl_init +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + .include fipsmodule.cnf [openssl_init] diff --git a/test/default-and-legacy.cnf b/test/default-and-legacy.cnf index adfa225f64a..4e288a45eac 100644 --- a/test/default-and-legacy.cnf +++ b/test/default-and-legacy.cnf @@ -1,5 +1,8 @@ openssl_conf = openssl_init +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + [openssl_init] providers = provider_sect diff --git a/test/default.cnf b/test/default.cnf index 12da8cb5bdd..f29d0e92bae 100644 --- a/test/default.cnf +++ b/test/default.cnf @@ -1,5 +1,8 @@ openssl_conf = openssl_init +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + [openssl_init] providers = provider_sect diff --git a/test/fips-and-base.cnf b/test/fips-and-base.cnf index 0caf2b88a43..494e96a87ef 100644 --- a/test/fips-and-base.cnf +++ b/test/fips-and-base.cnf @@ -1,5 +1,8 @@ openssl_conf = openssl_init +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + .include fipsmodule.cnf [openssl_init] diff --git a/test/fips.cnf b/test/fips.cnf index fa131a8bf62..74349c80aeb 100644 --- a/test/fips.cnf +++ b/test/fips.cnf @@ -1,5 +1,8 @@ openssl_conf = openssl_init +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + .include fipsmodule.cnf [openssl_init] diff --git a/test/legacy.cnf b/test/legacy.cnf index 60b09a1e34f..ffbcbd16ba1 100644 --- a/test/legacy.cnf +++ b/test/legacy.cnf @@ -1,5 +1,8 @@ openssl_conf = openssl_init +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + [openssl_init] providers = provider_sect diff --git a/test/provider_internal_test.cnf.in b/test/provider_internal_test.cnf.in index 12c292437ea..16c555c8449 100644 --- a/test/provider_internal_test.cnf.in +++ b/test/provider_internal_test.cnf.in @@ -1,3 +1,6 @@ +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + {- use platform -} openssl_conf = openssl_init diff --git a/test/proxy.cnf b/test/proxy.cnf index ceac227c04a..cfb862cbda2 100644 --- a/test/proxy.cnf +++ b/test/proxy.cnf @@ -1,6 +1,9 @@ ## Config file for proxy certificate testing. +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + [ req ] distinguished_name = req_distinguished_name_p1 encrypt_rsa_key = no diff --git a/test/smime-certs/ca.cnf b/test/smime-certs/ca.cnf index 00d40e74791..31bddea1fa0 100644 --- a/test/smime-certs/ca.cnf +++ b/test/smime-certs/ca.cnf @@ -2,6 +2,9 @@ # OpenSSL example configuration file for automated certificate creation. # +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + # This definition stops the following lines choking if HOME or CN # is undefined. HOME = . diff --git a/test/sysdefault.cnf b/test/sysdefault.cnf index 5473d837c10..0094831608e 100644 --- a/test/sysdefault.cnf +++ b/test/sysdefault.cnf @@ -1,5 +1,8 @@ # Configuration file to test system default SSL configuration +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + openssl_conf = default_conf [ default_conf ]