Openssl config1/9/2024 crl.srl # CRL number file database = $dir /ca/ $ca /db/ $ca. crt.srl # Serial number file crlnumber = $dir /ca/ $ca /db/ $ca. key # CA private key new_certs_dir = $dir /ca/ $ca # Certificate archive serial = $dir /ca/ $ca /db/ $ca. crt # The CA cert private_key = $dir /ca/ $ca /private/ $ca. default_ca = root_ca # The default CA section certificate = $dir /ca/ $ca. # The CA section defines the locations of CA assets, as well as the policies # applying to the CA. default_bits = 2048 # RSA key size encrypt_key = yes # Protect private key default_md = sha1 # MD to use utf8 = yes # Input is UTF-8 string_mask = utf8only # Emit UTF-8 strings prompt = no # Don't prompt for DN distinguished_name = ca_dn # DN section req_extensions = ca_reqext # Desired extensions 0.domainComponent = "org" 1.domainComponent = "simple" organizationName = "Simple Inc" organizationalUnitName = "Simple Root CA" commonName = "Simple Root CA" keyUsage = critical ,ke圜ertSign,cRLSign basicConstraints = critical ,CA:true subjectKeyIdentifier = hash # The remainder of the configuration file is used by the openssl ca command. # It defines the CA's key pair, its DN, and the desired extensions for the CA # certificate. # Top dir # The next part of the configuration file is used by the openssl req command. It may also hold settings pertaining to more # than one openssl command. Probably no need to call it again.# Simple Root CA # The section contains global constants that can be referred to from # the entire configuration file. For example, config file from this link.Īlso noted, ENGINE_load_builtin_engines() is already called in OPENSSL_config(). How do I merge the engine settings with other openssl settings? Some settings at the top of the file are not inside a section at all. I tried with just the settings for the default engine, and it works. The problem is that I added the contents at the end of the file (there are more configs in the file for other purposes), however openssl expects the contents at the top of the config file. If not, it loads the default section called "openssl_conf". In CONF_modules_load(), the code checks if an "appname" is passed in. I used the following config for configuring a default engine for openssl from my previous testing,ĭynamic_path = /usr/lib/engines/libfoo.so I debugged through the openssl code to find out what's the problem. + DBG1(DBG_LIB, "failed to set engine '%s' as default", engine_id) + if (!ENGINE_set_default(engine, ENGINE_METHOD_ALL)) + DBG1(DBG_LIB, "failed to initialize engine '%s'", engine_id) + DBG2(DBG_LIB, "engine '%s' is not available", engine_id) + engine_id = lib->settings->get_str(lib->settings, + /* load the configured OpenSSL engine and set it as default */ * activate support for hardware accelerators */ Maybe event consider get it push to upstream?ĭiff -git a/src/libstrongswan/plugins/openssl/openssl_plugin.c b/src/libstrongswan/plugins/openssl/openssl_plugin.c I am asking some feedback about if the implementation is properly done, or there is a better way. I just added some code in openssl_plugin.c, shown below. Is there any reason why the engine_id is not used as an default engine for all features of OpenSSL in Charon? However, the only code which reads the engine_id configuration is in openssl_rsa_private_key.c (under /src/libstrongswan/plugins/openssl). My understanding is that the engine with that id will be used as the default engine for charon. In that file, a "engine_id" can be specified. There is an nf configuration file for charon under the directory /etc/strongswan.d/charon/nf.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |