Overriding OpenSSL CipherString at a more granular level in Debian 10?

linux debian apache-httpd openssl
8,771
  • Override system default with user level environment:
    • An empty file will do: touch ~/.openssl.cnf
    • BASH define & export: export OPENSSL_CONF=~/.openssl.cnf
  • Wrap application within a script: export OPENSSL_CONF=/dev/null
Share:
8,771

Related videos on Youtube

blihp
Author by

blihp

Updated on September 18, 2022

Comments

  • blihp
    blihp over 1 year

    In Debian 10, the upgraded OpenSSL package has more secure defaults (per https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1) which causes problems for some of my existing application configurations.

    Changing /etc/ssl/openssl.cnf to use CipherString = DEFAULT@SECLEVEL=1 keeps my old configurations working but of course that's a system-wide change.

    What I am wondering is if it is possible to keep the system default of CipherString = DEFAULT@SECLEVEL=2 and change this setting at a more granular level?

    Specifically, I would like to change the setting on a per-site level in Apache if possible.

    • Patrick Mevzek
      Patrick Mevzek over 4 years
      The setting is typically per application. For Apache, look at httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslciphersuite
    • blihp
      blihp over 4 years
      @PatrickMevzek I believe the CipherString is different from the SSLCipherSuite (i.e. I can't see how to specify a SSLCipherSuite directive that is functionally identical to the openssl.cnf CipherString options)
    • Patrick Mevzek
      Patrick Mevzek over 4 years
      /etc/ssl/openssl.cnf is just a default OpenSSL configuration, it is not necessarily used by applications. You are not clearly specifying which applications you use that depend on this file. The two are the same thing: do openssl ciphers -s -v 'ALL:@SECLEVEL=2' and you will the specific ciphers that are included, which you can use then in your Apache configuration. Also search for SECLEVEL on access.redhat.com/articles/3652701 you will see you can use it directly in Apache configuration...
  • waitfor
    waitfor over 3 years
    I think that this answers the opposite to the original question.
  • Conrad T. Pino
    Conrad T. Pino over 3 years
    Yes, original question is for per site granularity. I point out user level granularity may be useful if per site remains elusive.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

/usr/local/ssl/lib/libcrypto.a: could not read symbols: Bad value
updating openssl on Debian
no version information available (required by /usr/bin/ssh)
Is it possible to use SSL without a domain name?
Specific user account for Apache in the /var/www directory
How to resolve “SSLProtocol: Illegal protocol 'TLSv1.1'” in CentOS 6.9
Openssl compile error
PureOS ISO (on USB) unavailable for boot (EFI) on Mac OS X
What is the BOOT_IMAGE parameter in /proc/cmdline
Kali Linux (Debian) can't install pip.py