On Thu, 2015-02-12 at 18:39 +0100, Steffen Nurpmeso wrote: > I absolutely support all statements of Daniel Kahn Gillmore, but > especially that dynamism must be handled at a place that can be > adjusted without the necessity for any recompilation. > And i want to point to OPENSSL_config(3) which states for a longer > time duration: > > It is strongly recommended that all new applications call > OPENSSL_config() or the more sophisticated functions such as > CONF_modules_load() during initialization (that is before starting any > threads). By doing this an application does not need to keep track of > all configuration options and some new functionality can be supported > automatically. > > and so this finally appears to me as a natural place for such > things. (The next version of the MUA i maintain will, also > finally, add support for this, for example.) > > I think it was a bug report (sigh; btw., is the new EVP test still > broken regarding "evp_test(33743) malloc: pointer being freed was > not allocated"?) where i've expressed my own personal feelings > about that topic, in that i think the best would be if the > configuration file would be extended to offer the necessary > possibilities, yet i would dramatically change the current > semantics, for example regarding $OPENSSL_CONF, but there also > should be an option to enable the usual Unix configuration file > chain way of doing things ("global configuration file", "$HOME > configuration file"), and an administrator should have the option > to fixate some settings, possibly via a new "!" prefix to > a variable option, as in > > # /etc/openssl.rc > [ciphers] > DEFAULT=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384 > !ALL=ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384 > > so that a user could do > > # ~/.openssl.rc > [ciphers] > DEFAULT=ECDHE-RSA-AES256-GCM-SHA384
Some time ago, I had submitted a patch which allows administrators, but most importantly OS distributors to set their own strings in the configuration file, which software can then rely on, to provide a consistent security level: https://github.com/openssl/openssl/pull/192 regards, Nikos _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev