On 09/28/2017 12:21 AM, Steffen Nurpmeso wrote: > Hello. > > Tomas Mraz <tm...@redhat.com> wrote: > |I would like to restart the discussion about possibilities of system- > |wide configurability of OpenSSL and particularly libssl. > | > |Historically OpenSSL allowed only for configuration of the enabled > |ciphersuites list if application called appropriate API call. This is > |now enhanced with the SSL_CONF API and the applications can set thing > |such as allowed signature algorithms or protocol versions via this API. > > Now is the time to thank the OpenSSL for this improvement which > will change the world mid- or long term: thank you!
+1 ... > |However libssl currently does not have a way to apply some policy such > |as using just protocol TLS1.2 or better system-wide with a possibility > |for sysadmin to configure this via some configuration file. Of course > |it would still be up to individual application configurations whether > |they override such policy or not, but it would be useful for sysadmin > |to be able to set such policy and depend on that setting if he does not > |modify the settings in individual application configurations. > | > |How would openssl maintainers regard a patch that would add loading of > |a system-wide SSL configuration file on startup and application of it > > Having a global one and especially giving administrators the > possibility to provide an outer cramp that cannot be loosened any > further, though further restricted, would indeed be good. > And that being applied automatically just when SSL library is > initialized, without an explicit application-side > CONF_modules_load_file(). If i recall correctly that was the > original suggestion. > > And is it actually possible to have a generic "super-section" that > is applied even if an application specific one has been chosen? > And unfortunately it is not possible to say MinProtocol=Latest, > like this users have to be aware, even if they are not. With > MinProtocol=Latest they would only have to face this jungle of > non-understanding (be honest: Google/DuckDuckGo plus > copy-and-paste, isn't it) if something really fails. The problem is that by default the applications do not read the file and do not apply the defaults. Even the openssl s_client/s_server does not seem to work, but I might be doing something wrong. What I would like to see is applying the defaults unconditionally or maybe with some possibility to opt-out of it by application but not opt-in. Can I please get at least some response from the openssl team? Should I open an issue on github for that feature? Tomas Mraz -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev