[MacPorts] #71760: OpenSSL-3.4.0 legacy provider improperly built/configured

MacPorts noreply at macports.org
Mon Jan 6 02:25:09 UTC 2025 

#71760: OpenSSL-3.4.0 legacy provider improperly built/configured
-------------------------+--------------------
  Reporter:  mouse07410  |      Owner:  (none)
      Type:  defect      |     Status:  new
  Priority:  Normal      |  Milestone:
 Component:  ports       |    Version:
Resolution:              |   Keywords:
      Port:  openssl3    |
-------------------------+--------------------

Comment (by mouse07410):

 > I still think that .. well, you know what I think.

 :-)  Yes I know. Respectfully disagree though.  :-)

 {{{
 $ diff -u /opt/local/libexec/openssl3/etc/openssl/openssl.cnf.dist
 /opt/local/libexec/openssl3/etc/openssl/openssl.cnf
 --- /opt/local/libexec/openssl3/etc/openssl/openssl.cnf.dist    2025-01-05
 09:53:21
 +++ /opt/local/libexec/openssl3/etc/openssl/openssl.cnf 2025-01-05
 10:31:21
 @@ -52,26 +52,8 @@

  [openssl_init]
  providers = provider_sect
 +engines = engine_sect

 -# List of providers to load
 -[provider_sect]
 -default = default_sect
 -# The fips section name should match the section name inside the
 -# included fipsmodule.cnf.
 -# fips = fips_sect
 -
 -# If no providers are activated explicitly, the default one is activated
 implicitly.
 -# See man 7 OSSL_PROVIDER-default for more details.
 -#
 -# If you add a section explicitly activating any other provider(s), you
 most
 -# probably need to explicitly activate the default provider, otherwise it
 -# becomes unavailable in openssl.  As a consequence applications
 depending on
 -# OpenSSL may not work correctly which could lead to significant system
 -# problems including inability to remotely access the system.
 -[default_sect]
 -# activate = 1
 -
 -
  ####################################################################
  [ ca ]
  default_ca     = CA_default            # The default ca section
 @@ -142,7 +124,7 @@

  ####################################################################
  [ req ]
 -default_bits           = 2048
 +default_bits           = 3072
  default_keyfile        = privkey.pem
  distinguished_name     = req_distinguished_name
  attributes             = req_attributes
 @@ -165,24 +147,24 @@

  [ req_distinguished_name ]
  countryName                    = Country Name (2 letter code)
 -countryName_default            = AU
 +countryName_default            = US
  countryName_min                        = 2
  countryName_max                        = 2

  stateOrProvinceName            = State or Province Name (full name)
 -stateOrProvinceName_default    = Some-State
 +stateOrProvinceName_default    = Massachusetts

  localityName                   = Locality Name (eg, city)

  0.organizationName             = Organization Name (eg, company)
 -0.organizationName_default     = Internet Widgits Pty Ltd
 +0.organizationName_default     = XXXsomething_elseXXX

  # we can do this but it is not needed normally :-)
  #1.organizationName            = Second Organization Name (eg, company)
  #1.organizationName_default    = World Wide Web Pty Ltd

  organizationalUnitName         = Organizational Unit Name (eg, section)
 -#organizationalUnitName_default        =
 +organizationalUnitName_default = XXXsome_other_defaultXXX

  commonName                     = Common Name (e.g. server FQDN or YOUR
 name)
  commonName_max                 = 64
 @@ -388,3 +370,73 @@
  # Certificate revocation
  cmd = rr
  oldcert = $insta::certout # insta.cert.pem
 +
 +######
 +# List of providers to load
 +[provider_sect]
 + default = default_prov
 + oqs = oqs_prov
 + pkcs11 = pkcs11_prov
 + #gost = gost_prov
 + legacy = legacy_prov
 +
 +# The fips section name should match the section name inside the
 +# included fipsmodule.cnf.
 +# fips = fips_sect
 +
 +# If no providers are activated explicitly, the default one is activated
 implicitly.
 +# See man 7 OSSL_PROVIDER-default for more details.
 +#
 +# If you add a section explicitly activating any other provider(s), you
 most
 +# probably need to explicitly activate the default provider, otherwise it
 +# becomes unavailable in openssl.  As a consequence applications
 depending on
 +# OpenSSL may not work correctly which could lead to significant system
 +# problems including inability to remotely access the system.
 +[default_prov]
 + activate = 1
 +
 +[oqs_prov]
 + module = /opt/local/libexec/openssl3/lib/ossl-modules/oqsprovider.dylib
 + activate = 1
 +
 +[pkcs11_prov]
 + module = /opt/local/libexec/openssl3/lib/ossl-modules/pkcs11.dylib
 + pkcs11-module-quirks = no-deinit no-allowed-mechanisms
 + #pkcs11-module-load-behavior = early
 + pkcs11-module-login-behavior = auto
 + #pkcs11-module-login-behavior = always
 + pkcs11-module-cache-pins = cache
 + #pkcs11-module-path = /Library/OpenSC/lib/opensc-pkcs11.so
 + #pkcs11-module-path = /usr/local/lib/libykcs11.dylib
 + pkcs11-module-path = /usr/local/lib/p11-kit-proxy.dylib
 + #pkcs11-module-path = /opt/local/lib/p11-kit-proxy.dylib
 + #pkcs11-module-path = /opt/p11kit/local/lib/p11-kit-proxy.dylib
 + activate = 1
 +
 +[gost_prov]
 + module = /opt/local/libexec/openssl3/lib/ossl-modules/gostprov.dylib
 + activate = 0
 +
 +[legacy_prov]
 + activate = 0
 +
 +[engine_sect]
 + #pkcs11 = pkcs11_section
 + gost = gost_section
 +
 +[pkcs11_section]
 + engine_id = pkcs11
 + dynamic_path = /opt/local/libexec/openssl3/lib/engines-3/pkcs11.dylib
 + MODULE_PATH = /Library/OpenSC/lib/opensc-pkcs11.so
 + init = 0
 +
 +[gost_section]
 + engine_id = gost
 + dynamic_path = /opt/local/libexec/openssl3/lib/engines-3/gost.dylib
 + default_algorithms = ALL
 + #CRYPT_PARAMS = id-Gost28147-89-CryptoPro-A-ParamSet
 + #CRYPT-PARAMS = id-GostR3410-2001-CryptoPro-A-ParamSet
 + PBE_PARAMS = "gost12_512"
 + init = 0
 +
 +########################
 }}}

-- 
Ticket URL: <https://trac.macports.org/ticket/71760#comment:6>
MacPorts <https://www.macports.org/>
Ports system for macOS

More information about the macports-tickets mailing list