[openssl-users] recommended build options

Jeffrey Walton noloader at gmail.com
Thu Mar 3 19:00:31 UTC 2016

>> > By and large what should be off by default eventually or already
>> > is, but there can be some delay for backwards compatibility.
>> ...
>> > With these you're covered for no-ssl2 no-comp and no weak ciphers.
>> We are using 1.0.2f, no-ssl2 and no-comp do not appear to be defaults in
>> that version.  Should heartbeats be turned off, or have recent version of
>> OpenSSL taken care of any potential weaknesses there?
> Yes, you do need to disable "ssl2" in releases prior to 1.0.1s
> and 1.0.2g.
> Note that "no-comp" is a consequence of "zlib" and "zlib-dynamic"
> not being enabled.  You have to choose to turn compression on IIRC
> by enabling one of these.

no-comp disables compression independent of zlib. OPENSSL_NO_COMP will
be defined in the OpenSSL headers.

Also see https://wiki.openssl.org/index.php/Compilation_and_Installation#Configure_Options.
As interesting ones show up and team members comment on them, they get
added to the list.


More information about the openssl-users mailing list