Re: [openssl-users] Is it possible to disable SSLv3 for all openssl-enabled applications via settings in openssl.cnf?
On Thu, 16 Oct 2014, Erwann Abalea wrote: Would you like all your OpenSSL-enabled applications to be configured all the same, with the same protocols and same ciphersuites? No. I was just wondering whether it was possible to exclude support for SSLv3 at runtime in one place for all openssl-enabled applications, rather than having to rebuild openssl from source to achieve this same result. tp __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Is it possible to disable SSLv3 for all openssl-enabled applications via settings in openssl.cnf?
Does the openssl library not read the config file thereby enforcing what is available to all applications that use the openssl library? Or am I being too optimistic? What behaviour exists within the openssl library when it is built and configured with options to disable certain protocols or ciphers that could not be duplicated with runtime configuration options? I realize that those runtime configuration options may not yet exist - they do not according to Rich's response to my previous email - but that is what I was hoping for when I asked my question yesterday. If this behaviour is not possible in openssl, I'm now wondering how feasible it would be to interpose a library to intercept openssl calls and modify application requests for protocols or ciphers. tp On Thu, 16 Oct 2014, Dmitry Belyavsky wrote: Hello Rich, Unfortunately not all applications read the openssl config file... On Thu, Oct 16, 2014 at 2:53 AM, Salz, Rich wrote: > > I'd like to be able to disable SSLv3 for all openssl-enabled > > applications in a single configuration file if possible, so that this > > doesn't have to be done for each application. > > No it's not possible. > > Not enhancement idea, tho. AARGH. "Nice" enhancement idea. -- Principal Security Engineer, Akamai Technologies IM: rs...@jabber.me Twitter: RichSalz __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org -- SY, Dmitry Belyavsky __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Is it possible to disable SSLv3 for all openssl-enabled applications via settings in openssl.cnf?
I'd like to be able to disable SSLv3 for all openssl-enabled applications in a single configuration file if possible, so that this doesn't have to be done for each application. I realize that this could be done by building openssl from source but I imagine it could also be possible to configure this via openssl.cnf. I've done plenty of reading and searching today and haven't found any documentation describing if and how this can be done. There is an old thread here from 2011-09-02 with a similar question in regard to SSLv2: http://marc.info/?l=openssl-users&m=131498558227525&w=2 and if I understand what's said in that thread this can be done by configuring the cipherlist in openssl.cnf to a set that limits the available protocols (ie. set cipherlist to ciphers that don't include SSL I guess). However, also based on what's said in that thread, it sounds like the setting of cipherlist in openssl.cnf doesn't necessarily limit an application from using other openssl ciphers. Is that true? Or am I misinterpreting what I read in that thread? And perhaps has the situation changed since 2011-09-02? Can anyone provide a clear example openssl.cnf that shows how this could be done? If possible, preferably an example that is based on the default /etc/pki/tls/openssl.cnf in a Centos 6.5 installation from this package: openssl-1.0.1e-16.el6_5.15.x86_64. Thanks, tp __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
