On Mon, 2014-03-31 at 12:23 +0000, Viktor Dukhovni wrote: > > and (2) it is not easy to modify just a single > > section of that file with system scripts (especially since that file is > > expected to be modified manually by the administrator). > This is likely a good thing. Once a default is set, changing it > incompatibly, without explicit knowledge of the likely impact, is > a bad idea. Making non-default settings is up to the system > administrator. > I would be leary of using systems where the distribution vendor > makes incompatible changes to security policy.
Unless of course it is the administrator the one who changed the security policy and that's what I'm trying to achieve here. The idea is to allow the administrator to change the security policy in the system from a single place and not require him to change for each and every possible SSL application taking into account of the backend library, or protocols in use. That is why it would be good to set the security parameters from a configuration file that is easily modified from scripts. > > The former can be probably overcome by forcing OPENSSL_config() when the > > cipher string is parsed, and the latter by allowing OPENSSL_config to > > load files from a directory and concatenate them prior to parsing. > > What would you think of such an approach? Any better suggestions? > This too feels like intrusive overreach. What problem are you > trying to solve? The goal is to allow the configuration of the security level of applications centrally in a system. That is, to not require the administrator to configure each and every service to obtain a sane security level, to simplify the current best practices [0]. The way I thought of doing it for openssl is via a global cipher string, which currently can only set the ciphersuites, but Stephen's changes for the security level are really empowering that approach. regards, Nikos [0]. https://bettercrypto.org/static/applied-crypto-hardening.pdf ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
