[openssl-dev] Proposed cipher changes for post-1.0.2
Dr. Stephen Henson
steve at openssl.org
Fri Feb 13 15:54:50 UTC 2015
On Fri, Feb 13, 2015, Viktor Dukhovni wrote:
> On Fri, Feb 13, 2015 at 11:59:13AM +0000, Salz, Rich wrote:
>
> > > Some time ago, I had submitted a patch which allows administrators, but
> > > most importantly OS distributors to set their own strings in the configuration
> > > file, which software can then rely on, to provide a consistent security level:
> > > https://github.com/openssl/openssl/pull/192
> >
> > And my intent is to pull this into master pretty soon.
>
> And applications would need to opt-in to having this new profile
> apply, or more usefully need to be able to choose which
> application-specific file contains the desired profile. there's
> no such thing as a universal profile that works for all software.
>
> We may not need a patch for this, I thought we were about to deprecate
> OpenSSL_config() with its void return status and encourage folks
> to use the NCONF API, which should be able to handle this, or be close
> in any case.
>
Just clarification. The initialisation we're recommending I normally refer
to as "config modules". NCONF is a more general API for configuration files.
Config modules were intended to be used for application setup so would
be a good place to add a system cipher string instead of a whole new mechanism.
The only problem is that it would only work with application that supported
config modules.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
More information about the openssl-dev
mailing list