[openssl-dev] Systemwide configurability of OpenSSL

Tomas Mraz tmraz at redhat.com
Wed Oct 25 15:19:23 UTC 2017 

On 09/28/2017 12:21 AM, Steffen Nurpmeso wrote:
> Hello.
> 
> Tomas Mraz <tmraz at redhat.com> wrote:
>  |I would like to restart the discussion about possibilities of system-
>  |wide configurability of OpenSSL and particularly libssl.
>  |
>  |Historically OpenSSL allowed only for configuration of the enabled
>  |ciphersuites list if application called appropriate API call. This is
>  |now enhanced with the SSL_CONF API and the applications can set thing
>  |such as allowed signature algorithms or protocol versions via this API.
> 
> Now is the time to thank the OpenSSL for this improvement which
> will change the world mid- or long term: thank you!

+1

...

>  |However libssl currently does not have a way to apply some policy such
>  |as using just protocol TLS1.2 or better system-wide with a possibility
>  |for sysadmin to configure this via some configuration file. Of course
>  |it would still be up to individual application configurations whether
>  |they override such policy or not, but it would be useful for sysadmin
>  |to be able to set such policy and depend on that setting if he does not
>  |modify the settings in individual application configurations.
>  |
>  |How would openssl maintainers regard a patch that would add loading of
>  |a system-wide SSL configuration file on startup and application of it
> 
> Having a global one and especially giving administrators the
> possibility to provide an outer cramp that cannot be loosened any
> further, though further restricted, would indeed be good.
> And that being applied automatically just when SSL library is
> initialized, without an explicit application-side
> CONF_modules_load_file().  If i recall correctly that was the
> original suggestion.
> 
> And is it actually possible to have a generic "super-section" that
> is applied even if an application specific one has been chosen?
> And unfortunately it is not possible to say MinProtocol=Latest,
> like this users have to be aware, even if they are not.  With
> MinProtocol=Latest they would only have to face this jungle of
> non-understanding (be honest: Google/DuckDuckGo plus
> copy-and-paste, isn't it) if something really fails.

The problem is that by default the applications do not read the file and
do not apply the defaults. Even the openssl s_client/s_server does not
seem to work, but I might be doing something wrong.

What I would like to see is applying the defaults unconditionally or
maybe with some possibility to opt-out of it by application but not opt-in.

Can I please get at least some response from the openssl team? Should I
open an issue on github for that feature?

Tomas Mraz

More information about the openssl-dev mailing list