From 5bea09ef503e0bc379bb4f624248e6dce67e3ca8 Mon Sep 17 00:00:00 2001
From: David Michael <david.michael@coreos.com>
Date: Wed, 8 Mar 2017 16:00:53 -0800
Subject: [PATCH] dev-libs/openssl: generate /etc/ssl at boot

---
 .../dev-libs/openssl/files/openssl.conf         |  3 +++
 ...l-1.0.2k.ebuild => openssl-1.0.2k-r1.ebuild} | 17 +++++++++--------
 2 files changed, 12 insertions(+), 8 deletions(-)
 create mode 100644 sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf
 rename sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/{openssl-1.0.2k.ebuild => openssl-1.0.2k-r1.ebuild} (96%)

diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf
new file mode 100644
index 0000000000..ce86101ce7
--- /dev/null
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/files/openssl.conf
@@ -0,0 +1,3 @@
+d	/etc/ssl		-	-	-	-	-
+d	/etc/ssl/private	0700	-	-	-	-
+L	/etc/ssl/openssl.cnf	-	-	-	-	../../usr/share/ssl/openssl.cnf
diff --git a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2k.ebuild b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2k-r1.ebuild
similarity index 96%
rename from sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2k.ebuild
rename to sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2k-r1.ebuild
index e0488a3d2d..dd3c48e6cf 100644
--- a/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2k.ebuild
+++ b/sdk_container/src/third_party/coreos-overlay/dev-libs/openssl/openssl-1.0.2k-r1.ebuild
@@ -4,7 +4,7 @@
 
 EAPI="5"
 
-inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal
+inherit eutils flag-o-matic toolchain-funcs multilib multilib-minimal systemd
 
 MY_P=${P/_/-}
 DESCRIPTION="full-strength general purpose cryptography library (including SSL and TLS)"
@@ -212,11 +212,6 @@ multilib_src_install_all() {
 	# twice; once with shared lib support enabled and once without.
 	use static-libs || rm -f "${ED}"/usr/lib*/lib*.a
 
-	# create the certs directory
-	dodir ${SSL_CNF_DIR}/certs
-	cp -RP certs/* "${ED}"${SSL_CNF_DIR}/certs/ || die
-	rm -r "${ED}"${SSL_CNF_DIR}/certs/{demo,expired}
-
 	# Namespace openssl programs to prevent conflicts with other man pages
 	cd "${ED}"/usr/share/man
 	local m d s
@@ -242,6 +237,12 @@ multilib_src_install_all() {
 	dodir /etc/sandbox.d #254521
 	echo 'SANDBOX_PREDICT="/dev/crypto"' > "${ED}"/etc/sandbox.d/10openssl
 
-	diropts -m0700
-	keepdir ${SSL_CNF_DIR}/private
+	# Don't keep the sample CA files and their ilk in /etc.
+	rm -r "${ED}"${SSL_CNF_DIR}
+
+	# Save the default openssl.cnf in /usr and link it into place.
+	dodir /usr/share/ssl
+	insinto /usr/share/ssl
+	doins "${S}"/apps/openssl.cnf
+	systemd_dotmpfilesd ${FILESDIR}/openssl.conf
 }