[openssl-users] Appropriate use of SSL_CTX_set_cipher_list()

Michael Wojcik Michael.Wojcik at microfocus.com
Wed Jul 18 13:56:15 UTC 2018

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Ryan Beethe
> Sent: Tuesday, July 17, 2018 16:37
> However, I realized that Fedora's packaging standards [1] require me to
> elminate this line or use the special value "PROFILE=SYSTEM" for
> So that makes me nervous about whether or not I am using
> SSL_CTX_set_cipher_list() wrong.  Should I be calling it at all?

I recommend you make it configurable.

>  And if
> so, where would I find the "right" setting for other operating systems,
> since "PROFILE=SYSTEM" appears to be Fedora-specific?

Offhand, I'm not aware of other OSes that distribute implementations of OpenSSL that require platform-specific cipher-list settings. This strikes me as a Really Bad Idea on the part of the Fedora developers, but these days I'm not surprised by anything that comes out of the Red Hat organization.

Personally, I'd be tempted to drop Fedora from my list of supported platforms, or to ignore their "packaging standards". I have little tolerance for this sort of nonsense. But if you want to accommodate them, put the cipher list in a configuration file, and set it to "PROFILE=SYSTEM" for Fedora and a proper suite list for everything else. That also gives your customers the flexibility to change the list if they have good reason, or if they just enjoy making poor decisions.

I recommend Ivan Ristic's /Bulletproof TLS/ e-book (or the /OpenSSL Cookbook/ free excerpt, if you can't afford the full book) for cipher-suite recommendations, and much more besides. It's available from the Feisty Duck website.

Michael Wojcik
Distinguished Engineer, Micro Focus

More information about the openssl-users mailing list