[openssl-users] Appropriate use of SSL_CTX_set_cipher_list()

Ryan Beethe ryan at splintermail.com
Tue Jul 17 22:36:47 UTC 2018

I am writing a cross-platform C application, which I would like to
release for a variety of operating systems (Windows 7+, MacOS
HighSierra, Debian 8+, Ubuntu 14.04+, Fedora 27+, Centos 7+, ArchLinux,
at least for now).

Up to now, I have had a line of code which prepares an SSL_CTX object
like something like this:

    SSL_CTX_set_cipher_list(ctx->ctx, CIPHERS);

where `CIPHERS` was set to "HIGH:MED:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4".

However, I realized that Fedora's packaging standards [1] require me to
elminate this line or use the special value "PROFILE=SYSTEM" for

So that makes me nervous about whether or not I am using
SSL_CTX_set_cipher_list() wrong.  Should I be calling it at all?  And if
so, where would I find the "right" setting for other operating systems,
since "PROFILE=SYSTEM" appears to be Fedora-specific?


[1] https://fedoraproject.org/wiki/Packaging:CryptoPolicies

More information about the openssl-users mailing list