On Tue, Jul 08, 2014 at 10:00:24AM -0400, Tomas Hozza wrote:
> I'm afraid this is not suitable for us. We need to be able to define the
> policy somewhere in /etc, where the user is not able to change it (only
> the system administrator).
I hope can also prevent the user from running his own wget executable, or
ld-preloading modified OpenSSL library, or intercepting open(2) calls to
provide fake /etc file.

> Also the main intention to have a single place to set the policy for all
> system components, therefore wgetrc is not the right place for us.
What about to change wget to call OPENSSL_config(NULL) instead of setting some
hard-coded preference string. Then you can teach OpenSSL to load your /etc
configuration instead of patching each application.

-- Petr

Attachment: pgpieMgSxd4PH.pgp
Description: PGP signature

Reply via email to