| commit | c3f3200ed3ba7552d65446b03dd59234d10ef3b3 | |
| author | Kyle J. McKay <mackyle@gmail.com> | |
| Thu, 4 Mar 2021 00:20:05 +0000 (3 17:20 -0700) | ||
| committer | Kyle J. McKay <mackyle@gmail.com> | |
| Thu, 4 Mar 2021 00:20:05 +0000 (3 17:20 -0700) | ||
| tree | df77044743611447305375e9e72f4eadaef122dc | treesnapshot (tar.gz zip) |
| parent | d280e3e809a3eed1cedcc4b4221b031ae880a1d1 | commitdiff |
install.sh: accomodate newer OpenSSL breakage
Older versions of OpenSSL (and all versions of LibreSSL) output
the result of `openssl x509 -noout -subject` like so:
subject= /CN=localhost
On the other hand, newer OpenSSL versions have determined to break
parsers that expect that output by changing it to look like so:
subject=CN = localhost
Add suitable munging (very ugly) so that either output will end
up providing the string we're looking for (the first version with
the leading "subject= " stripped off).
With this change, the certificate and certificate chain stops
being regenerated on every install even when it's unnecessary.
It's harmless to do so (other than a minor waste of CPU time) since
the generation is deterministic and always produces the same output
when given the same input (which is the case here).
There may be some (bizarre) option to make the more recent versions
of OpenSSL output in the older format, but then that option would
likely not work with the older versions and a different kind of
ugliness would ensue attempting to determine whether or not to
pass the option to avoid breakage that way.
The ugliness being used here does not depend on passing any magic and
unreliable options to the `openssl` command to avoid such issues.
Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
Older versions of OpenSSL (and all versions of LibreSSL) output
the result of `openssl x509 -noout -subject` like so:
subject= /CN=localhost
On the other hand, newer OpenSSL versions have determined to break
parsers that expect that output by changing it to look like so:
subject=CN = localhost
Add suitable munging (very ugly) so that either output will end
up providing the string we're looking for (the first version with
the leading "subject= " stripped off).
With this change, the certificate and certificate chain stops
being regenerated on every install even when it's unnecessary.
It's harmless to do so (other than a minor waste of CPU time) since
the generation is deterministic and always produces the same output
when given the same input (which is the case here).
There may be some (bizarre) option to make the more recent versions
of OpenSSL output in the older format, but then that option would
likely not work with the older versions and a different kind of
ugliness would ensue attempting to determine whether or not to
pass the option to avoid breakage that way.
The ugliness being used here does not depend on passing any magic and
unreliable options to the `openssl` command to avoid such issues.
Signed-off-by: Kyle J. McKay <mackyle@gmail.com>
| install.sh | diffblobblamehistory |