On 25/10/17 16:19, Tomas Mraz wrote: >> |However libssl currently does not have a way to apply some policy such >> |as using just protocol TLS1.2 or better system-wide with a possibility >> |for sysadmin to configure this via some configuration file. Of course >> |it would still be up to individual application configurations whether >> |they override such policy or not, but it would be useful for sysadmin >> |to be able to set such policy and depend on that setting if he does not >> |modify the settings in individual application configurations. >> | >> |How would openssl maintainers regard a patch that would add loading of >> |a system-wide SSL configuration file on startup and application of it >> >> Having a global one and especially giving administrators the >> possibility to provide an outer cramp that cannot be loosened any >> further, though further restricted, would indeed be good. >> And that being applied automatically just when SSL library is >> initialized, without an explicit application-side >> CONF_modules_load_file(). If i recall correctly that was the >> original suggestion. >> >> And is it actually possible to have a generic "super-section" that >> is applied even if an application specific one has been chosen? >> And unfortunately it is not possible to say MinProtocol=Latest, >> like this users have to be aware, even if they are not. With >> MinProtocol=Latest they would only have to face this jungle of >> non-understanding (be honest: Google/DuckDuckGo plus >> copy-and-paste, isn't it) if something really fails. > > The problem is that by default the applications do not read the file and > do not apply the defaults. Even the openssl s_client/s_server does not > seem to work, but I might be doing something wrong. > > What I would like to see is applying the defaults unconditionally or > maybe with some possibility to opt-out of it by application but not opt-in. > > Can I please get at least some response from the openssl team? Should I > open an issue on github for that feature?
Hmmmm....seems like something that would go in OPENSSL_init_ssl() (which is called automatically at start up). Matt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
