Thursday, November 27, 2014

You have mail. (that you don't want from openssl)

Summary

Do you see the You have mail. when you open your terminal?

And do you see this in your mail? (in /private/var/mail/`whoami`)

WARNING: can't open config file: /usr/local/etc/openssl/openssl.cnf

If so, then perhaps your openssl is misconfigured.

Prevent the unwanted "You have mail." message by configuring your mac to use the brew installed version of openssl.

First, check which version of openssl you are running:


$ openssl version
OpenSSL 0.9.8za 5 Jun 2014

Next, backup stock version of openssl:


sudo mv /usr/bin/openssl /usr/bin/openssl_v0.9.8za

Now, install openssl using brew:


brew uninstall openssl
brew prune
brew cleanup
sudo brew install openssl

Then, make brew's openssl the system default:


sudo ln -s `find /usr/local/Cellar/openssl -name openssl| grep \/bin` /usr/bin/openssl

And verify that the openssl you are running is from brew:


$ openssl version -a
OpenSSL 1.0.1j 15 Oct 2014
built on: Fri Oct 17 21:14:05 BST 2014
platform: darwin64-x86_64-cc
options:  bn(64,64) rc4(ptr,char) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: clang -fPIC -fno-common -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch x86_64 -O3 -DL_ENDIAN -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/usr/local/etc/openssl"


Create openssl.cnf File

Lastly, if you want to prevent the "WARNING: can't open config file: /usr/local/etc/openssl/openssl.cnf" message, you may need to create that file.

Here's one that should work: 

#
# OpenSSL configuration file.
#
 
# Establish working directory.
 
dir     = .
 
[ ca ]
default_ca    = CA_default
 
[ CA_default ]
serial     = $dir/serial
database    = $dir/certindex.txt
new_certs_dir    = $dir/certs
certificate    = $dir/cacert.pem
private_key    = $dir/private/cakey.pem
default_days    = 3650
default_md    = md5
preserve    = no
email_in_dn    = no
nameopt     = default_ca
certopt     = default_ca
policy     = policy_match
 
[ policy_match ]
countryName    = match
stateOrProvinceName   = match
organizationName   = match
organizationalUnitName   = optional
commonName    = supplied
emailAddress    = optional
 
[ req ]
default_bits    = 1024   # Size of keys
default_keyfile    = key.pem  # name of generated keys
default_md    = md5    # message digest algorithm
string_mask    = nombstr  # permitted characters
distinguished_name   = req_distinguished_name
req_extensions    = v3_req
 
[ req_distinguished_name ]
# Variable name    Prompt string
#-------------------------   ----------------------------------
0.organizationName   = Organization Name (company)
organizationalUnitName   = Organizational Unit Name (department, division)
emailAddress    = Email Address
emailAddress_max   = 40
localityName    = Locality Name (city, district)
stateOrProvinceName   = State or Province Name (full name)
countryName    = Country Name (2 letter code)
countryName_min    = 2
countryName_max    = 2
commonName    = Common Name (hostname, IP, or your name)
commonName_max    = 64
 
# Default values for the above, for consistency and less typing.
# Variable name    Value
#------------------------   ------------------------------
0.organizationName_default  = My Company
localityName_default   = My Town
stateOrProvinceName_default  = State or Providence
countryName_default   = US
 
[ v3_ca ]
basicConstraints   = CA:TRUE
subjectKeyIdentifier   = hash
authorityKeyIdentifier   = keyid:always,issuer:always
 
[ v3_req ]
basicConstraints   = CA:FALSE
subjectKeyIdentifier   = hash


Note that I made the certificate life 10 years. The rest is standard stuff.

Share this article



This work is licensed under the Creative Commons Attribution 3.0 Unported License.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)