[openssl-dev] Systemwide configurability of OpenSSL

Tomas Mraz tmraz at redhat.com
Wed Sep 27 15:02:06 UTC 2017 

I would like to restart the discussion about possibilities of system-
wide configurability of OpenSSL and particularly libssl.

Historically OpenSSL allowed only for configuration of the enabled
ciphersuites list if application called appropriate API call. This is
now enhanced with the SSL_CONF API and the applications can set thing
such as allowed signature algorithms or protocol versions via this API.

However libssl currently does not have a way to apply some policy such
as using just protocol TLS1.2 or better system-wide with a possibility
for sysadmin to configure this via some configuration file. Of course
it would still be up to individual application configurations whether
they override such policy or not, but it would be useful for sysadmin
to be able to set such policy and depend on that setting if he does not
modify the settings in individual application configurations.

How would openssl maintainers regard a patch that would add loading of
a system-wide SSL configuration file on startup and application of it
on SSL_CTX initialization (or some other appropriate place)? Is this
approach the way to go forward or do you have some better way on mind?

Such an effort was initially attempted at:
https://github.com/openssl/openssl/pull/192 and
https://github.com/openssl/openssl/pull/193 pull requests but given the
comments, we are exploring other options to achieve that goal. What do
you think could be a better way?

Thanks for your comments,
-- 
Tomáš Mráz
Red Hat

No matter how far down the wrong road you've gone, turn back.
                                              Turkish proverb
[You'll know whether the road is wrong if you carefully listen to your
conscience.]

 * Google and NSA associates, this message is none of your business.
 * Please leave it alone, and consider whether your actions are
 * authorized by the contract with Red Hat, or by the US constitution.
 * If you feel you're being encouraged to disregard the limits built
 * into them, remember Edward Snowden and Wikileaks.

More information about the openssl-dev mailing list