Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configurable loading of OpenSSL configuration file #2724

Closed
phlipsi opened this issue Jul 9, 2018 · 2 comments
Closed

Configurable loading of OpenSSL configuration file #2724

phlipsi opened this issue Jul 9, 2018 · 2 comments

Comments

@phlipsi
Copy link

phlipsi commented Jul 9, 2018

The libcurl library calls the OpenSSL function CONF_modules_load_file() in openssl.c, Curl_ossl_init(). This is obviously a good idea for freely configurable clients like curl in order to allow the users to tweak the underlying OpenSSL configuration. In our case this is rather undesirable: Our client is tightly coupled with a fixed server with a given TLS-configuration. We regard any changes in the OpenSSL configuration as a security risk or at least as unnecessary.

Feature-Request: Please add a configuration switch or something similar to disable the CONF_modules_load_file() call.

@bagder
Copy link
Member

bagder commented Jul 9, 2018

Thanks, but this description sounds as if you're asking for a new feature/change. We use this tracker for bugs and issues only, we put ideas to work on in the future in the TODO document. We basically drown in good ideas so they don't do much use in our tracker.

If you really want to see this happen, start working on an implementation and submit a PR for it or join the mailing list and talk up more interest for it and see what help from others you can get!

@phlipsi
Copy link
Author

phlipsi commented Jul 9, 2018

That sounds quite understandable and fair. Thank you for your explanation!

@bagder bagder closed this as completed in d3bd7cb Jul 10, 2018
pwaehnert added a commit to pwaehnert/curl that referenced this issue Jul 25, 2018
Sometimes it may be considered a security risk to load an external OpenSSL
configuration automatically inside curl_global_init(). The configuration
option --disable-ssl-auto-load-config disables this automatism. The Windows
build scripts winbuild/Makefile.vs provide a corresponding option
ENABLE_SSL_AUTO_LOAD_CONFIG accepting a boolean value.

Setting neither of these options corresponds to the previous behavior loading
the external OpenSSL configuration automatically.

Implements feature request curl#2724
pwaehnert added a commit to pwaehnert/curl that referenced this issue Jul 25, 2018
Sometimes it may be considered a security risk to load an external
OpenSSL configuration automatically inside curl_global_init(). The
configuration option --disable-ssl-auto-load-config disables this
automatism. The Windows build scripts winbuild/Makefile.vs provide a
corresponding option ENABLE_SSL_AUTO_LOAD_CONFIG accepting a boolean
value.

Setting neither of these options corresponds to the previous behavior
loading the external OpenSSL configuration automatically.

Implements feature request curl#2724
bagder pushed a commit that referenced this issue Sep 7, 2018
Sometimes it may be considered a security risk to load an external
OpenSSL configuration automatically inside curl_global_init(). The
configuration option --disable-ssl-auto-load-config disables this
automatism. The Windows build scripts winbuild/Makefile.vs provide a
corresponding option ENABLE_SSL_AUTO_LOAD_CONFIG accepting a boolean
value.

Setting neither of these options corresponds to the previous behavior
loading the external OpenSSL configuration automatically.

Fixes #2724
Closes #2791
falconindy pushed a commit to falconindy/curl that referenced this issue Sep 10, 2018
falconindy pushed a commit to falconindy/curl that referenced this issue Sep 10, 2018
Sometimes it may be considered a security risk to load an external
OpenSSL configuration automatically inside curl_global_init(). The
configuration option --disable-ssl-auto-load-config disables this
automatism. The Windows build scripts winbuild/Makefile.vs provide a
corresponding option ENABLE_SSL_AUTO_LOAD_CONFIG accepting a boolean
value.

Setting neither of these options corresponds to the previous behavior
loading the external OpenSSL configuration automatically.

Fixes curl#2724
Closes curl#2791
@lock lock bot locked as resolved and limited conversation to collaborators Oct 8, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Development

No branches or pull requests

2 participants