Changes between Initial Version and Version 1 of Ticket #1296, comment 17


Ignore:
Timestamp:
11/09/21 21:56:33 (2 years ago)
Author:
Selva Nair
Comment:

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #1296, comment 17

    initial v1  
    1010
    1111Version 2.5.2 should work -- the risk mentioned in the CVE could be mitigated by making the built-in OPENSSLDIR location read-only for users. AFAIK this location would point to "/etc/ssl" in the build which probably gets interpreted as "C:/etc/ssl"
     12
     13> [ system_default_sect ] didn't exist yet in openssl.cnf so I created a new section with this name
     14
     15That's unlikely to work -- section names in OpenSSL config are arbitrary strings --- they get their meaning though definitions that point to the section-name. In this case you want to set certain properties in SSL_CTX which is controlled by the `system_default` variable. So you will at least need `ssl_conf` and `system_default` defined. For example, here is a relevant snippet from an openssl.cnf file:
     16
     17{{{
     18openssl_conf = default_conf
     19
     20[default_conf]
     21ssl_conf = ssl_sect
     22
     23[ssl_sect]
     24system_default = system_default_sect
     25
     26[system_default_sect]
     27MinProtocol = TLSv1.1
     28SignatureAlgorithms = RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA1:ECDSA+SHA1
     29}}}
     30
     31Also see OpenSSL manual for config files --- especially the use of `system_default` variable.