I would like to restart the discussion about possibilities of system- wide configurability of OpenSSL and particularly libssl.
Historically OpenSSL allowed only for configuration of the enabled ciphersuites list if application called appropriate API call. This is now enhanced with the SSL_CONF API and the applications can set thing such as allowed signature algorithms or protocol versions via this API. However libssl currently does not have a way to apply some policy such as using just protocol TLS1.2 or better system-wide with a possibility for sysadmin to configure this via some configuration file. Of course it would still be up to individual application configurations whether they override such policy or not, but it would be useful for sysadmin to be able to set such policy and depend on that setting if he does not modify the settings in individual application configurations. How would openssl maintainers regard a patch that would add loading of a system-wide SSL configuration file on startup and application of it on SSL_CTX initialization (or some other appropriate place)? Is this approach the way to go forward or do you have some better way on mind? Such an effort was initially attempted at: https://github.com/openssl/openssl/pull/192 and https://github.com/openssl/openssl/pull/193 pull requests but given the comments, we are exploring other options to achieve that goal. What do you think could be a better way? Thanks for your comments, -- Tomáš Mráz Red Hat No matter how far down the wrong road you've gone, turn back. Turkish proverb [You'll know whether the road is wrong if you carefully listen to your conscience.] * Google and NSA associates, this message is none of your business. * Please leave it alone, and consider whether your actions are * authorized by the contract with Red Hat, or by the US constitution. * If you feel you're being encouraged to disregard the limits built * into them, remember Edward Snowden and Wikileaks. -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev