SSL_CONF_cmd(): SecurityLevel keyword, by chance?
Steffen Nurpmeso
steffen at sdaoden.eu
Mon Jan 11 22:19:30 UTC 2021
Hello.
Matt Caswell wrote in
<eea19b85-2030-15ed-c1d0-d8594c8cd097 at openssl.org>:
|On 09/01/2021 23:24, Steffen Nurpmeso wrote:
|> Hello.
|>
|> I do use SSL_CONF_cmd() (and modules) possibility if it exists,
|> since it allow users to simply use the features of the newest
|> OpenSSL library without any code changes on my side.
|> This is great, and i think i applauded in the past.
|>
|> I discovered security_level(), needless to say i thought
|> @SECLEVEL= of ciphers(1) was broken until i discovered -s is
|> required to make it functional (..and do not get me started on
|> -ciphersuites..).
|>
|> Wouldn't it make sense to offer SecurityLevel as a keyword for
|> SSL_CONF_cmd(), and therefore also SSL_CTX_config(), too -- since
|> it seems (from the manual) to extend to more than what i would
|> assume to be covered by a @SECLEVEL member of CipherString aka
|> ..Ciphersuites...?
|
|This is probably a good idea. I'd support it if someone wanted to add that.
Please find a simple add-on attached, it could be it ("having no
idea of the codebase"..). It compiles, but when linking against
678cae0295e3f (master from today) plus the patch i get errors:
In file included from /home/steffen/src/nail.git/src/mx/xtls.c:60:
/home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected declaration specifiers or '...' before 'ossl_check_const_GENERAL_NAME_sk_type'
402 | DEFINE_STACK_OF(GENERAL_NAME)
| ^~~~~~~~~~~~~~~
/home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected ')' before '*' token
402 | DEFINE_STACK_OF(GENERAL_NAME)
| ^~~~~~~~~~~~~~~
/home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected ')' before 'OPENSSL_sk_value'
402 | DEFINE_STACK_OF(GENERAL_NAME)
| ^~~~~~~~~~~~~~~
In file included from /home/steffen/usr-kent-linux-x86_64/opt/.ossl3/include/openssl/crypto.h:35,
from /home/steffen/src/nail.git/src/mx/xtls.c:53:
/home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected identifier or '(' before 'struct'
402 | DEFINE_STACK_OF(GENERAL_NAME)
| ^~~~~~~~~~~~~~~
In file included from /home/steffen/src/nail.git/src/mx/xtls.c:60:
/home/steffen/src/nail.git/src/mx/xtls.c:402:4: error: expected ')' before 'OPENSSL_sk_new'
402 | DEFINE_STACK_OF(GENERAL_NAME)
| ^~~~~~~~~~~~~~~
/home/steffen/src/nail.git/src/mx/xtls.c:402:1: error: macro "sk_GENERAL_NAME_new_null" passed 1 arguments, but takes just 0
402 | DEFINE_STACK_OF(GENERAL_NAME)
| ^ ~~~~~~~~~~~~~~~~~~~~~
In file included from /home/steffen/src/nail.git/src/mx/xtls.c:60:
/home/steffen/usr-kent-linux-x86_64/opt/.ossl3/include/openssl/x509v3.h:225: note: macro "sk_GENERAL_NAME_new_null" defined here
225 | #define sk_GENERAL_NAME_new_null() ((STACK_OF(GENERAL_NAME) *)OPENSSL_sk_new_null())
|
I have not tested OpenSSL 3.0 for a while, but it was clean when
i tried it last, my last commit was "Be truly
OPENSSL_NO_DEPRECATED_3_0 clean" on 2020-07-19. I used
./config --prefix=/home/steffen/usr-kent-linux-x86_64/opt/.ossl3 \
zlib-dynamic shared no-deprecated no-async threads no-tests \
-Wl,-rpath,'$(LIBRPATH)'
on a current glibc Linux (CRUX-Linux 3.6).
Ciao from Germany,
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ossl3-conf-seclvl.patch
Type: text/x-diff
Size: 4020 bytes
Desc: not available
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210111/cbd4dadc/attachment.patch>
More information about the openssl-users
mailing list