[openssl-dev] [openssl.org #3633] Enhancement request: CONF_modules_load_file(): please add a CONF_MFLAGS_LOAD_USER_FILE

[Stephen Henson via RT]

On Fri Dec 12 17:52:22 2014, sdaoden at yandex.com wrote:
> Hello,
>
> while following Rich Salz's suggestion to make use of
> CONF_modules_load_file() i stumbled personally over the
> restriction that only a global openssl.cnf seems to be supported.
> There is no support for automatic loading of a $HOME/.openssl.cnf
> on top of the global version.
>
> And whereas setting of $OPENSSL_CONF could be used and
> communicated to users to achieve the desire, doing so actually
> replaces inclusion of the global openssl.cnf, which likely not
> results in the wanted effect!?!
> While here, it doesn't seem possible to _forbid_ use of
> $OPENSSL_CONF (from reading the manual)?
> If that is true then i would ask for an additional
> CONF_MFLAGS_NO_OPENSSL_CNF_ENV bit, too.
>

While that could be done it would be a while before the new feature appeared in
released versions of OpenSSL. You can get finger control over the configuration
using existing APIs with current versions of OpenSSL.

With CONF_modules_load_file() if the passed filename is not NULL then that
value is used only. You only get the use of a local or system openssl.cnf if
the filename passed is NULL. So if you pass the path to a "system" openssl.cnf
it cannot be overridden by the OPENSSL_CONF environment variable.

The function CONF_modules_load can be passed the CONF structure to use directly
which doesn't need to come from a file at all. It could be from multiple files,
hard coded data or something strange like the Window registry (if the
appropriate code was written to add the data to the CONF structure).

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org