On Fri September 2 2011, Michael B Allen wrote: > On Fri, Sep 2, 2011 at 4:07 PM, Dr. Stephen Henson <st...@openssl.org> wrote: > > On Fri, Sep 02, 2011, Coda Highland wrote: > > > >> > Well I was hoping there was some kind of global configuration file > >> > directive that would affect the behavior of the openssl library and at > >> > least everything dynamically linked with it. But based on your answer > >> > it's fairly clear that there is no such option. > >> > >> He said that for OpenSSL 1.0.0 that the cipher list controls it. You > >> can configure the cipher list from openssl.cnf. > >> > > > > Actually you can't. Applications generaally have their own way of setting > > the > > cipherlist or just rely on the default value and don't allow it to be > > changed > > at all. > > It would be very nice if there was a "cipher" list option that > applications could not override so that you can absolutely block SSLv2 > on the whole machine by only editing one file (openssl.cnf and not > httpd/conf.d/ssl.conf, postfix/main.cf, dovecot.conf, etc). > > I do not want to build anything from source anymore. Then I would have > to watch for updates and rebuild all the time. >
As a "position statement" I understand your point. But you seem to have survived skipping all of the library updates between 0.9.8e and the 1.0 series while depending on your package manager. So if you __did not__ "watch for updates and rebuild all the time" you would be no worse off than you are now. > I would much rather > just rely on the distribution's package repository to keep me > up-to-date. > > I'm currently using openssl 0.9.8e from CentOS 5.6. But CentOS 6 has > openssl 1.0 and it also has Postfix 2.6 which supports the > smtpd_tls_protocols = !SSLv2 directive which is required to disable > SSLv2 in Postfix at the app-level. So it sounds like I will need to > migrate to CentOS 6. > OR, modify your package manager control files to select OpenSSL and Postfix packages from the newer distribution repository rather than migrate the entire OS to a new distribution. OR, from a centOS-5 repository that tracks updates to the packages that you feel are critical to your usage more closely than the "release repo". Lots of ways you could choose to "shape" your administration tasks to your liking. ;-) All of those decisions are best made by yourself. Back to your original question - Building a dynamic library that refers to an on-disk control file seems a bit impractical for a library that may be used on systems that do not have any file system to speak of. ;-) Mike > Mike > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
