On Tue, Jul 08, 2014 at 10:00:24AM -0400, Tomas Hozza wrote: > I'm afraid this is not suitable for us. We need to be able to define the > policy somewhere in /etc, where the user is not able to change it (only > the system administrator). > I hope can also prevent the user from running his own wget executable, or ld-preloading modified OpenSSL library, or intercepting open(2) calls to provide fake /etc file.
> Also the main intention to have a single place to set the policy for all > system components, therefore wgetrc is not the right place for us. > What about to change wget to call OPENSSL_config(NULL) instead of setting some hard-coded preference string. Then you can teach OpenSSL to load your /etc configuration instead of patching each application. -- Petr
pgpieMgSxd4PH.pgp
Description: PGP signature