On Fri, Feb 13, 2015, Viktor Dukhovni wrote: > On Fri, Feb 13, 2015 at 11:59:13AM +0000, Salz, Rich wrote: > > > > Some time ago, I had submitted a patch which allows administrators, but > > > most importantly OS distributors to set their own strings in the > > > configuration > > > file, which software can then rely on, to provide a consistent security > > > level: > > > https://github.com/openssl/openssl/pull/192 > > > > And my intent is to pull this into master pretty soon. > > And applications would need to opt-in to having this new profile > apply, or more usefully need to be able to choose which > application-specific file contains the desired profile. there's > no such thing as a universal profile that works for all software. > > We may not need a patch for this, I thought we were about to deprecate > OpenSSL_config() with its void return status and encourage folks > to use the NCONF API, which should be able to handle this, or be close > in any case. >
Just clarification. The initialisation we're recommending I normally refer to as "config modules". NCONF is a more general API for configuration files. Config modules were intended to be used for application setup so would be a good place to add a system cipher string instead of a whole new mechanism. The only problem is that it would only work with application that supported config modules. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev