On Fri, Sep 2, 2011 at 4:07 PM, Dr. Stephen Henson <st...@openssl.org> wrote: > On Fri, Sep 02, 2011, Coda Highland wrote: > >> > Well I was hoping there was some kind of global configuration file >> > directive that would affect the behavior of the openssl library and at >> > least everything dynamically linked with it. But based on your answer >> > it's fairly clear that there is no such option. >> >> He said that for OpenSSL 1.0.0 that the cipher list controls it. You >> can configure the cipher list from openssl.cnf. >> > > Actually you can't. Applications generaally have their own way of setting the > cipherlist or just rely on the default value and don't allow it to be changed > at all.
It would be very nice if there was a "cipher" list option that applications could not override so that you can absolutely block SSLv2 on the whole machine by only editing one file (openssl.cnf and not httpd/conf.d/ssl.conf, postfix/main.cf, dovecot.conf, etc). I do not want to build anything from source anymore. Then I would have to watch for updates and rebuild all the time. I would much rather just rely on the distribution's package repository to keep me up-to-date. I'm currently using openssl 0.9.8e from CentOS 5.6. But CentOS 6 has openssl 1.0 and it also has Postfix 2.6 which supports the smtpd_tls_protocols = !SSLv2 directive which is required to disable SSLv2 in Postfix at the app-level. So it sounds like I will need to migrate to CentOS 6. Mike ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org