Overriding OpenSSL CipherString at a more granular level in Debian 10?
8,771
- Override system default with user level environment:
- An empty file will do:
touch ~/.openssl.cnf
- BASH define & export:
export OPENSSL_CONF=~/.openssl.cnf
- An empty file will do:
- Wrap application within a script:
export OPENSSL_CONF=/dev/null
Related videos on Youtube
Author by
blihp
Updated on September 18, 2022Comments
-
blihp over 1 year
In Debian 10, the upgraded OpenSSL package has more secure defaults (per https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1) which causes problems for some of my existing application configurations.
Changing /etc/ssl/openssl.cnf to use
CipherString = DEFAULT@SECLEVEL=1
keeps my old configurations working but of course that's a system-wide change.What I am wondering is if it is possible to keep the system default of
CipherString = DEFAULT@SECLEVEL=2
and change this setting at a more granular level?Specifically, I would like to change the setting on a per-site level in Apache if possible.
-
Patrick Mevzek over 4 yearsThe setting is typically per application. For Apache, look at httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite
-
blihp over 4 years@PatrickMevzek I believe the CipherString is different from the SSLCipherSuite (i.e. I can't see how to specify a SSLCipherSuite directive that is functionally identical to the openssl.cnf CipherString options)
-
Patrick Mevzek over 4 years
/etc/ssl/openssl.cnf
is just a default OpenSSL configuration, it is not necessarily used by applications. You are not clearly specifying which applications you use that depend on this file. The two are the same thing: doopenssl ciphers -s -v 'ALL:@SECLEVEL=2'
and you will the specific ciphers that are included, which you can use then in your Apache configuration. Also search for SECLEVEL on access.redhat.com/articles/3652701 you will see you can use it directly in Apache configuration...
-
-
waitfor over 3 yearsI think that this answers the opposite to the original question.
-
Conrad T. Pino over 3 yearsYes, original question is for per site granularity. I point out user level granularity may be useful if per site remains elusive.