On Mon September 5 2011, Michael B Allen wrote: > On Sat, Sep 3, 2011 at 7:16 AM, Michael S. Zick <open...@morethan.org> wrote: > > On Fri September 2 2011, Michael B Allen wrote: > >> On Fri, Sep 2, 2011 at 4:07 PM, Dr. Stephen Henson <st...@openssl.org> > >> wrote: > >> > On Fri, Sep 02, 2011, Coda Highland wrote: > >> > > >> >> > Well I was hoping there was some kind of global configuration file > >> >> > directive that would affect the behavior of the openssl library and at > >> >> > least everything dynamically linked with it. But based on your answer > >> >> > it's fairly clear that there is no such option. > >> >> > >> >> He said that for OpenSSL 1.0.0 that the cipher list controls it. You > >> >> can configure the cipher list from openssl.cnf. > >> >> > >> > > >> > Actually you can't. Applications generaally have their own way of > >> > setting the > >> > cipherlist or just rely on the default value and don't allow it to be > >> > changed > >> > at all. > >> > >> It would be very nice if there was a "cipher" list option that > >> applications could not override so that you can absolutely block SSLv2 > >> on the whole machine by only editing one file (openssl.cnf and not > >> httpd/conf.d/ssl.conf, postfix/main.cf, dovecot.conf, etc). > >> > >> I do not want to build anything from source anymore. Then I would have > >> to watch for updates and rebuild all the time. > >> > > > > As a "position statement" I understand your point. > > > > But you seem to have survived skipping all of the library updates > > between 0.9.8e and the 1.0 series while depending on your package > > manager. > > So if you __did not__ "watch for updates and rebuild all the time" > > you would be no worse off than you are now. > > Not true. CentOS (which is just RedHat without the branding) does the > "watch for udpates" part and backports anything of real importance. > Meaning some security vulnerability fixed in 1.0 would, in theory, be > backported to 0.9.8e. > > >> I would much rather > >> just rely on the distribution's package repository to keep me > >> up-to-date. > >> > >> I'm currently using openssl 0.9.8e from CentOS 5.6. But CentOS 6 has > >> openssl 1.0 and it also has Postfix 2.6 which supports the > >> smtpd_tls_protocols = !SSLv2 directive which is required to disable > >> SSLv2 in Postfix at the app-level. So it sounds like I will need to > >> migrate to CentOS 6. > >> > > > > OR, modify your package manager control files to select OpenSSL and Postfix > > packages from the newer distribution repository rather than migrate > > the entire OS to a new distribution. > > > > OR, from a centOS-5 repository that tracks updates to the packages that > > you feel are critical to your usage more closely than the "release repo". > > > > Lots of ways you could choose to "shape" your administration tasks to > > your liking. ;-) > > All of those decisions are best made by yourself. > > > > Back to your original question - > > Building a dynamic library that refers to an on-disk control file seems > > a bit impractical for a library that may be used on systems that do not > > have any file system to speak of. ;-) > > Red herring. > Re-read the original post, subject was run-time configuration file for the dynamic library (not for the utility applications which are part of the OpenSSL distribution).
Mike > Configuration options are equally effective regardless of > whether or not they come from a disk file. It so happens that the > people hanging out on this list are also the type that use compiler > options to build a tailor made package for their appliance / device. > But in practice, most of us regular "civilians" are using a stock > package provided by their distribution. > > Mike > > Mike > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
