On Sat, Sep 3, 2011 at 7:16 AM, Michael S. Zick <open...@morethan.org> wrote: > On Fri September 2 2011, Michael B Allen wrote: >> On Fri, Sep 2, 2011 at 4:07 PM, Dr. Stephen Henson <st...@openssl.org> wrote: >> > On Fri, Sep 02, 2011, Coda Highland wrote: >> > >> >> > Well I was hoping there was some kind of global configuration file >> >> > directive that would affect the behavior of the openssl library and at >> >> > least everything dynamically linked with it. But based on your answer >> >> > it's fairly clear that there is no such option. >> >> >> >> He said that for OpenSSL 1.0.0 that the cipher list controls it. You >> >> can configure the cipher list from openssl.cnf. >> >> >> > >> > Actually you can't. Applications generaally have their own way of setting >> > the >> > cipherlist or just rely on the default value and don't allow it to be >> > changed >> > at all. >> >> It would be very nice if there was a "cipher" list option that >> applications could not override so that you can absolutely block SSLv2 >> on the whole machine by only editing one file (openssl.cnf and not >> httpd/conf.d/ssl.conf, postfix/main.cf, dovecot.conf, etc). >> >> I do not want to build anything from source anymore. Then I would have >> to watch for updates and rebuild all the time. >> > > As a "position statement" I understand your point. > > But you seem to have survived skipping all of the library updates > between 0.9.8e and the 1.0 series while depending on your package > manager. > So if you __did not__ "watch for updates and rebuild all the time" > you would be no worse off than you are now.
Not true. CentOS (which is just RedHat without the branding) does the "watch for udpates" part and backports anything of real importance. Meaning some security vulnerability fixed in 1.0 would, in theory, be backported to 0.9.8e. >> I would much rather >> just rely on the distribution's package repository to keep me >> up-to-date. >> >> I'm currently using openssl 0.9.8e from CentOS 5.6. But CentOS 6 has >> openssl 1.0 and it also has Postfix 2.6 which supports the >> smtpd_tls_protocols = !SSLv2 directive which is required to disable >> SSLv2 in Postfix at the app-level. So it sounds like I will need to >> migrate to CentOS 6. >> > > OR, modify your package manager control files to select OpenSSL and Postfix > packages from the newer distribution repository rather than migrate > the entire OS to a new distribution. > > OR, from a centOS-5 repository that tracks updates to the packages that > you feel are critical to your usage more closely than the "release repo". > > Lots of ways you could choose to "shape" your administration tasks to > your liking. ;-) > All of those decisions are best made by yourself. > > Back to your original question - > Building a dynamic library that refers to an on-disk control file seems > a bit impractical for a library that may be used on systems that do not > have any file system to speak of. ;-) Red herring. Configuration options are equally effective regardless of whether or not they come from a disk file. It so happens that the people hanging out on this list are also the type that use compiler options to build a tailor made package for their appliance / device. But in practice, most of us regular "civilians" are using a stock package provided by their distribution. Mike Mike ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
