[openssl-dev] Systemwide configurability of OpenSSL
Tomas Mraz
tmraz at redhat.com
Wed Oct 25 15:19:23 UTC 2017
On 09/28/2017 12:21 AM, Steffen Nurpmeso wrote:
> Hello.
>
> Tomas Mraz <tmraz at redhat.com> wrote:
> |I would like to restart the discussion about possibilities of system-
> |wide configurability of OpenSSL and particularly libssl.
> |
> |Historically OpenSSL allowed only for configuration of the enabled
> |ciphersuites list if application called appropriate API call. This is
> |now enhanced with the SSL_CONF API and the applications can set thing
> |such as allowed signature algorithms or protocol versions via this API.
>
> Now is the time to thank the OpenSSL for this improvement which
> will change the world mid- or long term: thank you!
+1
...
> |However libssl currently does not have a way to apply some policy such
> |as using just protocol TLS1.2 or better system-wide with a possibility
> |for sysadmin to configure this via some configuration file. Of course
> |it would still be up to individual application configurations whether
> |they override such policy or not, but it would be useful for sysadmin
> |to be able to set such policy and depend on that setting if he does not
> |modify the settings in individual application configurations.
> |
> |How would openssl maintainers regard a patch that would add loading of
> |a system-wide SSL configuration file on startup and application of it
>
> Having a global one and especially giving administrators the
> possibility to provide an outer cramp that cannot be loosened any
> further, though further restricted, would indeed be good.
> And that being applied automatically just when SSL library is
> initialized, without an explicit application-side
> CONF_modules_load_file(). If i recall correctly that was the
> original suggestion.
>
> And is it actually possible to have a generic "super-section" that
> is applied even if an application specific one has been chosen?
> And unfortunately it is not possible to say MinProtocol=Latest,
> like this users have to be aware, even if they are not. With
> MinProtocol=Latest they would only have to face this jungle of
> non-understanding (be honest: Google/DuckDuckGo plus
> copy-and-paste, isn't it) if something really fails.
The problem is that by default the applications do not read the file and
do not apply the defaults. Even the openssl s_client/s_server does not
seem to work, but I might be doing something wrong.
What I would like to see is applying the defaults unconditionally or
maybe with some possibility to opt-out of it by application but not opt-in.
Can I please get at least some response from the openssl team? Should I
open an issue on github for that feature?
Tomas Mraz
More information about the openssl-dev
mailing list