Browse Source

Add config_diagnostics to our configuration files.

The change to a more configuration based approach to enable FIPS mode
operation highlights a shortcoming in the default should do something
approach we've taken for bad configuration files.

Currently, a bad configuration file will be automatically loaded and
once the badness is detected, it will silently stop processing the
configuration and continue normal operations. This is good for remote
servers, allowing changes to be made without bricking things. It's bad
when a user thinks they've configured what they want but got something
wrong and it still appears to work.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16171)
master
Pauli 2 months ago
parent
commit
92c03668c0
20 changed files with 63 additions and 4 deletions
  1. +1
    -2
      apps/openssl-vms.cnf
  2. +1
    -2
      apps/openssl.cnf
  3. +6
    -0
      demos/bio/accept.cnf
  4. +3
    -0
      demos/bio/cmod.cnf
  5. +6
    -0
      demos/bio/connect.cnf
  6. +4
    -0
      demos/certs/apps/apps.cnf
  7. +3
    -0
      demos/certs/ca.cnf
  8. +3
    -0
      test/CAtsa.cnf
  9. +3
    -0
      test/ca-and-certs.cnf
  10. +3
    -0
      test/ct/log_list.cnf
  11. +3
    -0
      test/default-and-fips.cnf
  12. +3
    -0
      test/default-and-legacy.cnf
  13. +3
    -0
      test/default.cnf
  14. +3
    -0
      test/fips-and-base.cnf
  15. +3
    -0
      test/fips.cnf
  16. +3
    -0
      test/legacy.cnf
  17. +3
    -0
      test/provider_internal_test.cnf.in
  18. +3
    -0
      test/proxy.cnf
  19. +3
    -0
      test/smime-certs/ca.cnf
  20. +3
    -0
      test/sysdefault.cnf

+ 1
- 2
apps/openssl-vms.cnf View File

@ -16,8 +16,7 @@ HOME = .
# Use this in order to automatically load providers.
openssl_conf = openssl_init
# Comment this out if you deliberately want to ignore
# configuration errors
# Comment out the next line to ignore configuration errors
config_diagnostics = 1
# Extra OBJECT IDENTIFIER info:


+ 1
- 2
apps/openssl.cnf View File

@ -16,8 +16,7 @@ HOME = .
# Use this in order to automatically load providers.
openssl_conf = openssl_init
# Comment this out if you deliberately want to ignore
# configuration errors
# Comment out the next line to ignore configuration errors
config_diagnostics = 1
# Extra OBJECT IDENTIFIER info:


+ 6
- 0
demos/bio/accept.cnf View File

@ -1,10 +1,16 @@
# Example configuration file
# Comment out the next line to ignore configuration errors
config_diagnostics = 1
# Port to listen on
Port = 4433
# Disable TLS v1.2 for test.
# Protocol = ALL, -TLSv1.2
# Only support 3 curves
Curves = P-521:P-384:P-256
# Restricted signature algorithms
SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512
Certificate=server.pem


+ 3
- 0
demos/bio/cmod.cnf View File

@ -4,6 +4,9 @@
# and section containing configuration
testapp = test_sect
# Comment out the next line to ignore configuration errors
config_diagnostics = 1
[test_sect]
# list of configuration modules


+ 6
- 0
demos/bio/connect.cnf View File

@ -1,9 +1,15 @@
# Example configuration file
# Comment out the next line to ignore configuration errors
config_diagnostics = 1
# Connects to the default port of s_server
Connect = localhost:4433
# Disable TLS v1.2 for test.
# Protocol = ALL, -TLSv1.2
# Only support 3 curves
Curves = P-521:P-384:P-256
# Restricted signature algorithms
SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512

+ 4
- 0
demos/certs/apps/apps.cnf View File

@ -7,6 +7,10 @@
HOME = .
CN = "Not Defined"
# Comment out the next line to ignore configuration errors
config_diagnostics = 1
####################################################################
[ req ]
default_bits = 2048


+ 3
- 0
demos/certs/ca.cnf View File

@ -8,6 +8,9 @@ HOME = .
CN = "Not Defined"
default_ca = ca
# Comment out the next line to ignore configuration errors
config_diagnostics = 1
####################################################################
[ req ]
default_bits = 1024


+ 3
- 0
test/CAtsa.cnf View File

@ -3,6 +3,9 @@
# This config is used by the Time Stamp Authority tests.
#
# Comment out the next line to ignore configuration errors
config_diagnostics = 1
# Extra OBJECT IDENTIFIER info:
oid_section = new_oids


+ 3
- 0
test/ca-and-certs.cnf View File

@ -1,4 +1,7 @@
# Comment out the next line to ignore configuration errors
config_diagnostics = 1
CN2 = Brother 2
####################################################################


+ 3
- 0
test/ct/log_list.cnf View File

@ -1,5 +1,8 @@
enabled_logs=test,pilot,aviator,rocketeer,digicert,certly,izempe,symantec,venafi
# Comment out the next line to ignore configuration errors
config_diagnostics = 1
[test]
description = https://github.com/google/certificate-transparency/tree/99218b6445906a81f219d84e9c6d2683e13e4e58/test/testdata
key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmXg8sUUzwBYaWrRb+V0IopzQ6o3UyEJ04r5ZrRXGdpYM8K+hB0pXrGRLI0eeWz+3skXrS0IO83AhA3GpRL6s6w==


+ 3
- 0
test/default-and-fips.cnf View File

@ -1,5 +1,8 @@
openssl_conf = openssl_init
# Comment out the next line to ignore configuration errors
config_diagnostics = 1
.include fipsmodule.cnf
[openssl_init]


+ 3
- 0
test/default-and-legacy.cnf View File

@ -1,5 +1,8 @@
openssl_conf = openssl_init
# Comment out the next line to ignore configuration errors
config_diagnostics = 1
[openssl_init]
providers = provider_sect


+ 3
- 0
test/default.cnf View File

@ -1,5 +1,8 @@
openssl_conf = openssl_init
# Comment out the next line to ignore configuration errors
config_diagnostics = 1
[openssl_init]
providers = provider_sect


+ 3
- 0
test/fips-and-base.cnf View File

@ -1,5 +1,8 @@
openssl_conf = openssl_init
# Comment out the next line to ignore configuration errors
config_diagnostics = 1
.include fipsmodule.cnf
[openssl_init]


+ 3
- 0
test/fips.cnf View File

@ -1,5 +1,8 @@
openssl_conf = openssl_init
# Comment out the next line to ignore configuration errors
config_diagnostics = 1
.include fipsmodule.cnf
[openssl_init]


+ 3
- 0
test/legacy.cnf View File

@ -1,5 +1,8 @@
openssl_conf = openssl_init
# Comment out the next line to ignore configuration errors
config_diagnostics = 1
[openssl_init]
providers = provider_sect


+ 3
- 0
test/provider_internal_test.cnf.in View File

@ -1,3 +1,6 @@
# Comment out the next line to ignore configuration errors
config_diagnostics = 1
{- use platform -}
openssl_conf = openssl_init


+ 3
- 0
test/proxy.cnf View File

@ -1,6 +1,9 @@
## Config file for proxy certificate testing.
# Comment out the next line to ignore configuration errors
config_diagnostics = 1
[ req ]
distinguished_name = req_distinguished_name_p1
encrypt_rsa_key = no


+ 3
- 0
test/smime-certs/ca.cnf View File

@ -2,6 +2,9 @@
# OpenSSL example configuration file for automated certificate creation.
#
# Comment out the next line to ignore configuration errors
config_diagnostics = 1
# This definition stops the following lines choking if HOME or CN
# is undefined.
HOME = .


+ 3
- 0
test/sysdefault.cnf View File

@ -1,5 +1,8 @@
# Configuration file to test system default SSL configuration
# Comment out the next line to ignore configuration errors
config_diagnostics = 1
openssl_conf = default_conf
[ default_conf ]


Loading…
Cancel
Save