Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updating how openssl is configured. #603

Merged
merged 3 commits into from
Apr 20, 2020
Merged

Updating how openssl is configured. #603

merged 3 commits into from
Apr 20, 2020

Conversation

manchicken
Copy link

Per guidance from the openssl project, this seems like it might be the more correct way to configure openssl with the default configuration files.

@alanxz
Copy link
Owner

alanxz commented Mar 8, 2020

Could you point to the guidance provided by the OpenSSL project?

@manchicken
Copy link
Author

Could you point to the guidance provided by the OpenSSL project?

Sure. Here's the comment they added to my issue that I asked them for help on: net-amqp-rabbitmq/net-amqp-rabbitmq#186 (comment)

@manchicken
Copy link
Author

And here's what they posted on the mailing list:

With OpenSSL 1.1.1b and forward the correct way to initialize the SSL
library with a custom application name "appname" (from some code slated
to some day be integrated into Postfix) is:

#if OPENSSL_VERSION_NUMBER >= 0x1010102fL
OPENSSL_INIT_SETTINGS *init_settings = NULL;
unsigned long init_opts = 0;
unsigned long init_flags = CONF_MFLAGS_IGNORE_MISSING_FILE;

if ((init_settings = OPENSSL_INIT_new()) == 0) {
/* error */
...
}

OPENSSL_INIT_set_config_appname(init_settings, "appname");
/*
* By not including CONF_MFLAGS_IGNORE_RETURN_CODES, we get strict error
* reporting. We don't insist on a match for the requested application
* name, allowing fallback to the default application name, even when a
* non-default application name is specified by always setting the
* CONF_MFLAGS_DEFAULT_SECTION bit.
*/
init_flags |= CONF_MFLAGS_DEFAULT_SECTION;
OPENSSL_INIT_set_config_file_flags(init_settings, init_flags);

if (OPENSSL_init_ssl(init_opts, init_settings) <= 0) {
/* error */
...
}
#endif

I don't recall whether/when it may be appropriate to call
CONF_module_load_file(). That may have to be done after the library is
initialized.

I still don't know what all those looping libraries were, none of the
sort are present on my system.

@alanxz
Copy link
Owner

alanxz commented Mar 12, 2020
edited
Loading

Could you link to that message in whatever mailing list archive you found the above?

https://wiki.openssl.org/index.php/Library_Initialization#OpenSSL_config seems to indicate something slightly different yet. (sigh I wish the OpenSSL docs weren't so hard to understand).

@manchicken
Copy link
Author

manchicken commented Mar 12, 2020
edited
Loading

Sure, sorry I forgot to before: https://mta.openssl.org/pipermail/openssl-users/2020-March/011978.html

@manchicken
Copy link
Author

@alanxz: any thoughts on how to proceed?

@manchicken
Copy link
Author

Thoughts, @alanxz? I’m still not sure what to do to resolve this.

@manchicken
Copy link
Author

I updated the Branch. Could you help me get this updated? More folks are upgrading to OpenSSL 1.1.1, and this is causing my code to break.

@alanxz
Copy link
Owner

alanxz commented Apr 20, 2020

Sorry, this fell off my radar. Lets proceed with what you have here.

@alanxz alanxz merged commit 9ee7b7b into alanxz:master Apr 20, 2020
@Shawak Shawak mentioned this pull request Apr 29, 2020
Closed
@tmedicci tmedicci mentioned this pull request Aug 7, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@manchicken @alanxz