On Thu, 2014-03-27 at 19:27 +0100, Dr. Stephen Henson wrote: > > I'd rather see the ability to add a new section openssl.cnf, like > > [ cipher-profile ] > > redhat-recommended = AES256-CGM-SHA384 > > > > and then you could do things like > > -ciphers profile@redhat-recommended:RC4-SHA128 > > > Yes I agree. There is an existing method for adding configuration in > openssl.cnf for vaious purposes (ENGINE, OIDs, FIPS) and instead of a new > configuration file a configuration module could be added instead. It could be > extended beyone just cipher strings, for example expressing some SSL_CONF > commands which would be used whenever that section is referenced.
This looks indeed cleaner, but based on my understanding of openssl, I think the main issues with that, is (1) that applications may not call OPENSSL_config at all, and (2) it is not easy to modify just a single section of that file with system scripts (especially since that file is expected to be modified manually by the administrator). The former can be probably overcome by forcing OPENSSL_config() when the cipher string is parsed, and the latter by allowing OPENSSL_config to load files from a directory and concatenate them prior to parsing. What would you think of such an approach? Any better suggestions? regards, Nikos ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
