[openssl-dev] Systemwide configurability of OpenSSL
Matt Caswell
matt at openssl.org
Wed Oct 25 15:45:58 UTC 2017
On 25/10/17 16:19, Tomas Mraz wrote:
>> |However libssl currently does not have a way to apply some policy such
>> |as using just protocol TLS1.2 or better system-wide with a possibility
>> |for sysadmin to configure this via some configuration file. Of course
>> |it would still be up to individual application configurations whether
>> |they override such policy or not, but it would be useful for sysadmin
>> |to be able to set such policy and depend on that setting if he does not
>> |modify the settings in individual application configurations.
>> |
>> |How would openssl maintainers regard a patch that would add loading of
>> |a system-wide SSL configuration file on startup and application of it
>>
>> Having a global one and especially giving administrators the
>> possibility to provide an outer cramp that cannot be loosened any
>> further, though further restricted, would indeed be good.
>> And that being applied automatically just when SSL library is
>> initialized, without an explicit application-side
>> CONF_modules_load_file(). If i recall correctly that was the
>> original suggestion.
>>
>> And is it actually possible to have a generic "super-section" that
>> is applied even if an application specific one has been chosen?
>> And unfortunately it is not possible to say MinProtocol=Latest,
>> like this users have to be aware, even if they are not. With
>> MinProtocol=Latest they would only have to face this jungle of
>> non-understanding (be honest: Google/DuckDuckGo plus
>> copy-and-paste, isn't it) if something really fails.
>
> The problem is that by default the applications do not read the file and
> do not apply the defaults. Even the openssl s_client/s_server does not
> seem to work, but I might be doing something wrong.
>
> What I would like to see is applying the defaults unconditionally or
> maybe with some possibility to opt-out of it by application but not opt-in.
>
> Can I please get at least some response from the openssl team? Should I
> open an issue on github for that feature?
Hmmmm....seems like something that would go in OPENSSL_init_ssl() (which
is called automatically at start up).
Matt
More information about the openssl-dev
mailing list