[openssl-project] Sanity check understanding of automatic module initialization?
Viktor Dukhovni
openssl-users at dukhovni.org
Mon Dec 31 03:52:08 UTC 2018
With automatic library initialization in OpenSSL 1.1.0 and later,
settings from the system-wide "openssl.cnf" file are automatically
loaded and may in turn cause various "modules" to be initialized.
For example, with:
openssl.conf:
openssl_conf = system-wide-modules
#
[system-wide-modules]
ssl_conf = system-wide-ssl
#
[system-wide-ssl]
system_default = ssl-defaults
#
[ssl-defaults]
MinProtocol = TLSv1.2
...
the settings in the "ssl-defaults" section will be loaded into memory,
and will be applied to every SSL_CTX() via:
SSL_CTX_new() ->
ssl_ctx_system_config() ->
ssl_do_config() ->
conf_ssl_get() ... SSL_CONF_cmd()
Any settings loaded via SSL_CTX_config() are in addition to the
above, possibly not necessarily overriding some of the implicit
defaults.
Looking at the code, it seems that the only way to make sure that
the application is not affected by unexpected system-wide settings,
is to load an alternative configuration file, via:
CONF_modules_load_file()
making sure that the file contains at least one profile in the
"ssl_conf" module section, whose section (to avoid errors) requires
at least one setting (empty sections should IMHO be tolerated, but
currently raise errors). For example, it seems that the below will
suffice to avoid inherting any settings from the default system-wide
openssl.cnf file:
openssl.conf:
myapp = myapp-modules
#
[myapp-modules]
ssl_conf = myapp-ssl-module
#
[myapp-ssl-module]
bogus-profile = bogus-ssl-settings
#
[bogus-ssl-settings]
MinProtocol = TLSv1.0
If the above is wrong or missing key details, please let me know.
Beyond the sanity check, it seems to me that some of the "big picture"
is missing from the documentation. We have descriptions of pieces
of the API, but discussion of the interaction with automatic
initialization and how all the pieces fit together seems to be
missing. The docs seem to date back to 1.0.2, and the changes in
1.1.0 are not generally properly reflected.
This would be good to address.
--
Viktor.
More information about the openssl-project
mailing list