With automatic library initialization in OpenSSL 1.1.0 and later, settings from the system-wide "openssl.cnf" file are automatically loaded and may in turn cause various "modules" to be initialized.
For example, with: openssl.conf: openssl_conf = system-wide-modules # [system-wide-modules] ssl_conf = system-wide-ssl # [system-wide-ssl] system_default = ssl-defaults # [ssl-defaults] MinProtocol = TLSv1.2 ... the settings in the "ssl-defaults" section will be loaded into memory, and will be applied to every SSL_CTX() via: SSL_CTX_new() -> ssl_ctx_system_config() -> ssl_do_config() -> conf_ssl_get() ... SSL_CONF_cmd() Any settings loaded via SSL_CTX_config() are in addition to the above, possibly not necessarily overriding some of the implicit defaults. Looking at the code, it seems that the only way to make sure that the application is not affected by unexpected system-wide settings, is to load an alternative configuration file, via: CONF_modules_load_file() making sure that the file contains at least one profile in the "ssl_conf" module section, whose section (to avoid errors) requires at least one setting (empty sections should IMHO be tolerated, but currently raise errors). For example, it seems that the below will suffice to avoid inherting any settings from the default system-wide openssl.cnf file: openssl.conf: myapp = myapp-modules # [myapp-modules] ssl_conf = myapp-ssl-module # [myapp-ssl-module] bogus-profile = bogus-ssl-settings # [bogus-ssl-settings] MinProtocol = TLSv1.0 If the above is wrong or missing key details, please let me know. Beyond the sanity check, it seems to me that some of the "big picture" is missing from the documentation. We have descriptions of pieces of the API, but discussion of the interaction with automatic initialization and how all the pieces fit together seems to be missing. The docs seem to date back to 1.0.2, and the changes in 1.1.0 are not generally properly reflected. This would be good to address. -- Viktor. _______________________________________________ openssl-project mailing list openssl-project@openssl.org https://mta.openssl.org/mailman/listinfo/openssl-project