Add config_diagnostics to our configuration files.

The change to a more configuration based approach to enable FIPS mode
operation highlights a shortcoming in the default should do something
approach we've taken for bad configuration files.

Currently, a bad configuration file will be automatically loaded and
once the badness is detected, it will silently stop processing the
configuration and continue normal operations. This is good for remote
servers, allowing changes to be made without bricking things. It's bad
when a user thinks they've configured what they want but got something
wrong and it still appears to work.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16171)

diff --git a/apps/openssl-vms.cnf b/apps/openssl-vms.cnf
index f18e63c3518e8dc1bd5e6a0f28d0d38ca366cc80..4d96a1f32d2e14e5dc25a69f3dce0bbdb944dd4b 100644 (file)
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@@ -16,8 +16,7 @@ HOME                  = .
  # Use this in order to automatically load providers.
 openssl_conf = openssl_init
 
-# Comment this out if you deliberately want to ignore
-# configuration errors
+# Comment out the next line to ignore configuration errors
 config_diagnostics = 1
 
 # Extra OBJECT IDENTIFIER info:

diff --git a/apps/openssl.cnf b/apps/openssl.cnf
index 97567a67be6d23153830620f03b58dc4f623c09c..ffb424a871c9fbd00f3ba3169f6fb76365100133 100644 (file)
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -16,8 +16,7 @@ HOME                  = .
  # Use this in order to automatically load providers.
 openssl_conf = openssl_init
 
-# Comment this out if you deliberately want to ignore
-# configuration errors
+# Comment out the next line to ignore configuration errors
 config_diagnostics = 1
 
 # Extra OBJECT IDENTIFIER info:

diff --git a/demos/bio/accept.cnf b/demos/bio/accept.cnf
index cb0cefba753268321cdb91fe34e76333d58a000c..ce36678ee9cadabec558f1d97747e594ad7a872d 100644 (file)
--- a/demos/bio/accept.cnf
+++ b/demos/bio/accept.cnf
@@ -1,10 +1,16 @@
 # Example configuration file
+
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 # Port to listen on
 Port = 4433
+
 # Disable TLS v1.2 for test.
 # Protocol = ALL, -TLSv1.2
 # Only support 3 curves
 Curves = P-521:P-384:P-256
+
 # Restricted signature algorithms
 SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512
 Certificate=server.pem

diff --git a/demos/bio/cmod.cnf b/demos/bio/cmod.cnf
index 39ac54edd9b509907e4f495e5fd3abd210fe7f7b..df514dba790914cd1d2409448c7d43249caf1eaf 100644 (file)
--- a/demos/bio/cmod.cnf
+++ b/demos/bio/cmod.cnf
@@ -4,6 +4,9 @@
 # and section containing configuration
 testapp = test_sect
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 [test_sect]
 # list of configuration modules
 

diff --git a/demos/bio/connect.cnf b/demos/bio/connect.cnf
index ab764403a4742d8eeec488dc7f1f78d9628d3d77..0049a77b2d62d21fac6685208ff2153bb39b73ab 100644 (file)
--- a/demos/bio/connect.cnf
+++ b/demos/bio/connect.cnf
@@ -1,9 +1,15 @@
 # Example configuration file
+
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 # Connects to the default port of s_server
 Connect = localhost:4433
+
 # Disable TLS v1.2 for test.
 # Protocol = ALL, -TLSv1.2
 # Only support 3 curves
 Curves = P-521:P-384:P-256
+
 # Restricted signature algorithms
 SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512

diff --git a/demos/certs/apps/apps.cnf b/demos/certs/apps/apps.cnf
index 07a3d10b551e32561126e9eb4e0533c07c973943..72ed70de7582ddb3e426ea123674178aabfadf89 100644 (file)
--- a/demos/certs/apps/apps.cnf
+++ b/demos/certs/apps/apps.cnf
@@ -7,6 +7,10 @@
 HOME                   = .
 CN                     = "Not Defined"
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
+
 ####################################################################
 [ req ]
 default_bits           = 2048

diff --git a/demos/certs/ca.cnf b/demos/certs/ca.cnf
index 2fbf20490b73ad0f4b62f2bb971cf9a77bb4c2a3..e0c73c4eefee5b44b295f3954ce0ad8df4ba9c55 100644 (file)
--- a/demos/certs/ca.cnf
+++ b/demos/certs/ca.cnf
@@ -8,6 +8,9 @@ HOME                    = .
 CN                     = "Not Defined"
 default_ca             = ca
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 ####################################################################
 [ req ]
 default_bits           = 1024

diff --git a/test/CAtsa.cnf b/test/CAtsa.cnf
index e232e7023ef1a67307d97cbf466434ee8f2bb249..50f68cbc196653bd0d095d6305bcace25ac3eb03 100644 (file)
--- a/test/CAtsa.cnf
+++ b/test/CAtsa.cnf
@@ -3,6 +3,9 @@
 # This config is used by the Time Stamp Authority tests.
 #
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 # Extra OBJECT IDENTIFIER info:
 oid_section            = new_oids
 

diff --git a/test/ca-and-certs.cnf b/test/ca-and-certs.cnf
index f6663924ae06a75e99b301c0607b8761a9a525a5..463b49954c63f875094fda21f4c2665caa07e794 100644 (file)
--- a/test/ca-and-certs.cnf
+++ b/test/ca-and-certs.cnf
@@ -1,4 +1,7 @@
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 CN2 = Brother 2
 
 ####################################################################

diff --git a/test/ct/log_list.cnf b/test/ct/log_list.cnf
index 4b68e535580312d67ed4ed814bddafbffbac84a1..b723b8c9f69129fe94f5fa2cd3675de64d4db769 100644 (file)
--- a/test/ct/log_list.cnf
+++ b/test/ct/log_list.cnf
@@ -1,5 +1,8 @@
 enabled_logs=test,pilot,aviator,rocketeer,digicert,certly,izempe,symantec,venafi
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 [test]
 description = https://github.com/google/certificate-transparency/tree/99218b6445906a81f219d84e9c6d2683e13e4e58/test/testdata
 key = MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEmXg8sUUzwBYaWrRb+V0IopzQ6o3UyEJ04r5ZrRXGdpYM8K+hB0pXrGRLI0eeWz+3skXrS0IO83AhA3GpRL6s6w==

diff --git a/test/default-and-fips.cnf b/test/default-and-fips.cnf
index 7a4d765591c3e3f95e32196f168ae1e11c84d608..2ca6487fd2fdda2bb5a69d5588749502d94414b7 100644 (file)
--- a/test/default-and-fips.cnf
+++ b/test/default-and-fips.cnf
@@ -1,5 +1,8 @@
 openssl_conf = openssl_init
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 .include fipsmodule.cnf
 
 [openssl_init]

diff --git a/test/default-and-legacy.cnf b/test/default-and-legacy.cnf
index adfa225f64aaf4224dc114109ed6ab3b465c2e0c..4e288a45eac8be1fffe0b98f2199e1c2431acaee 100644 (file)
--- a/test/default-and-legacy.cnf
+++ b/test/default-and-legacy.cnf
@@ -1,5 +1,8 @@
 openssl_conf = openssl_init
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 [openssl_init]
 providers = provider_sect
 

diff --git a/test/default.cnf b/test/default.cnf
index 12da8cb5bdd64dce9fca06198ffb520f44cba9b3..f29d0e92bae8e8c75496ab6e2240e1b3d22b8eed 100644 (file)
--- a/test/default.cnf
+++ b/test/default.cnf
@@ -1,5 +1,8 @@
 openssl_conf = openssl_init
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 [openssl_init]
 providers = provider_sect
 

diff --git a/test/fips-and-base.cnf b/test/fips-and-base.cnf
index 0caf2b88a4341c95fb9df076a07c3d30c667198e..494e96a87ef30d94d5cc6565cde446977af23a07 100644 (file)
--- a/test/fips-and-base.cnf
+++ b/test/fips-and-base.cnf
@@ -1,5 +1,8 @@
 openssl_conf = openssl_init
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 .include fipsmodule.cnf
 
 [openssl_init]

diff --git a/test/fips.cnf b/test/fips.cnf
index fa131a8bf6246d0911c2ca92d06582cacb8c13e9..74349c80aeb5e61df7f2d3077292d0ab0f531654 100644 (file)
--- a/test/fips.cnf
+++ b/test/fips.cnf
@@ -1,5 +1,8 @@
 openssl_conf = openssl_init
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 .include fipsmodule.cnf
 
 [openssl_init]

diff --git a/test/legacy.cnf b/test/legacy.cnf
index 60b09a1e34f39f37ba437cb9a3ce6130235bb9aa..ffbcbd16ba1b52eb0ad445ac5d6a9e1732c9997c 100644 (file)
--- a/test/legacy.cnf
+++ b/test/legacy.cnf
@@ -1,5 +1,8 @@
 openssl_conf = openssl_init
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 [openssl_init]
 providers = provider_sect
 

diff --git a/test/provider_internal_test.cnf.in b/test/provider_internal_test.cnf.in
index 12c292437ea93e451e85fe4f0886ada6aed4ef73..16c555c844940f3e982baec9094d82828ee68964 100644 (file)
--- a/test/provider_internal_test.cnf.in
+++ b/test/provider_internal_test.cnf.in
@@ -1,3 +1,6 @@
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 {- use platform -}
 openssl_conf = openssl_init
 

diff --git a/test/proxy.cnf b/test/proxy.cnf
index ceac227c04ad6e857895e79db094d07deecd4246..cfb862cbda21a991bb48b7ff810ca13350691d29 100644 (file)
--- a/test/proxy.cnf
+++ b/test/proxy.cnf
@@ -1,6 +1,9 @@
 
 ## Config file for proxy certificate testing.
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 [ req ]
 distinguished_name     = req_distinguished_name_p1
 encrypt_rsa_key                = no

diff --git a/test/smime-certs/ca.cnf b/test/smime-certs/ca.cnf
index 00d40e74791e8223cb8a64917eb73e574db4b956..31bddea1fa037a414d442a9f9d60a643bbdee016 100644 (file)
--- a/test/smime-certs/ca.cnf
+++ b/test/smime-certs/ca.cnf
@@ -2,6 +2,9 @@
 # OpenSSL example configuration file for automated certificate creation.
 #
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 # This definition stops the following lines choking if HOME or CN
 # is undefined.
 HOME                   = .

diff --git a/test/sysdefault.cnf b/test/sysdefault.cnf
index 5473d837c10f3539423369a10e3af52e136a3b10..0094831608ee32a551d9c3710c32b76ffcee8d33 100644 (file)
--- a/test/sysdefault.cnf
+++ b/test/sysdefault.cnf
@@ -1,5 +1,8 @@
 # Configuration file to test system default SSL configuration
 
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
 openssl_conf = default_conf
 
 [ default_conf ]