Libressl use $EASYRSA_FORCE_SAFE_SSL

ChangeLog

@@ -2,6 +2,7 @@ Easy-RSA 3 ChangeLog
 
 3.2.5 (TBD)
 
+   * Libressl: Use ONLY $EASYRSA_FORCE_SAFE_SSL (25b7485) (#1402)
    * select_x509_type_tmp(): This compliments select_ssl_cnf_tmp() (dc754e4) (#1401)
    * select_ssl_cnf_tmp(): Replace provide_EASYRSA_SSL_CONF_tmp() (538ad3d) (#1401)
    * inline_file(): Make unknown certificate type non-fatal (b2373e2) (#1399)

easyrsa3/easyrsa

@@ -1220,7 +1220,7 @@ easyrsa_openssl() {
 	[ -f "$EASYRSA_SSL_CONF" ] || \
 			die "easyrsa_openssl - Missing EASYRSA_SSL_CONF"
 
-	if [ "$ssl_cnf_type" = safe-cnf ] || [ "$EASYRSA_FORCE_SAFE_SSL" ]; then
+	if [ "$EASYRSA_FORCE_SAFE_SSL" ]; then
 		final_safe_ssl_cnf=
 		easyrsa_mktemp final_safe_ssl_cnf
 
@@ -1275,17 +1275,11 @@ verify_ssl_lib() {
 	# SSL lib name
 	case "${val%% *}" in
 		OpenSSL)
-			ssl_lib=openssl
-			# Honor EASYRSA_FORCE_SAFE_SSL
-			if [ "$EASYRSA_FORCE_SAFE_SSL" ]; then
-				ssl_cnf_type=safe-cnf
-			else
-				ssl_cnf_type=ssl-cnf
-			fi
+			ssl_lib_name=openssl
 			;;
 		LibreSSL)
-			ssl_lib=libressl
-			ssl_cnf_type=safe-cnf
+			ssl_lib_name=libressl
+			export EASYRSA_FORCE_SAFE_SSL=1
 			;;
 		*)
 			error_msg="$("$EASYRSA_OPENSSL" version 2>&1)"
@@ -1305,15 +1299,15 @@ $error_msg"
 		1) no_password='-nodes' ;;
 		2) no_password='-nodes' ;;
 		3|4)
-			case "$ssl_lib" in
+			case "$ssl_lib_name" in
 				openssl)
 					openssl_v3=1
 					no_password='-noenc'
 					;;
 				libressl)
 					no_password='-nodes'
 					;;
-				*) die "Unexpected SSL library: $ssl_lib"
+				*) die "Unexpected SSL library: $ssl_lib_name"
 			esac
 			;;
 		*) die "Unexpected SSL version: $osslv_major"
@@ -5236,7 +5230,7 @@ ssl_cert_x509v3_eku() {
 	ceku_known=
 
 	# Extract certificate Extended Key Usage
-	if [ "$ssl_lib" = libressl ]; then
+	if [ "$ssl_lib_name" = libressl ]; then
 		ceku_eku="$(
 			"$EASYRSA_OPENSSL" x509 -in "$ceku_crt" -noout \
 				-text | \