Skip to content
OpenSSL library interposer to make existing binary software use more secure TLS protocol variants
C Shell Makefile
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
TLS Interposer Logo.png

TLS Interposer

OpenSSL library interposer to get software to use more secure TLS protocol variants.


  1. Disables SSLv2 and SSLv3 (broken), enables everything else (starting at OpenSSL 1.0.1 up to TLS 1.2)
  2. Enables ECDHE algorithms for forward secrecy
  3. Disables all weak algorithms; by default including RC4 as a last resort compatibility mode

Environment Variables

  • LD_PRELOAD: Used by, should be set to /full/path/to/
  • TLS_INTERPOSER_CIPHERS: The ciphers to use, defaults to Qualys SSLlabs recommendations
  • TLS_INTERPOSER_OPTIONS: Comma-separated list of options
    • debug: Be verbose, by default on stderr
    • logfile: Log to /var/log/tlsinterposer.log; fall back to stderr
    • libssl=: Full name of, if not autodetected correctly
    • -comp: Disable compression
    • -ccert: Prevent the server from asking for client certificates
    • +sorder: Force server cipher order, aka tls_preempt_cipherlist (Postfix) or SSLHonorCipherOrder (Apache httpd)
    • -rc4: Changes the default ciphers from Qualys recommendations with to without RC4 (has no effect on TLS_INTERPOSER_CIPHERS)
    • -tlsv1: Disable TLSv1, leaving TLSv1.1 and TLSv1.2, if supported
    • +sslv3: Reenable SSLv3 (advised against)
    • +sslv2: Reenable SSLv2 (strongly advised against)


Download, make, make install.


Start the process with LD_PRELOAD environment variable set to /path/to/ . For example,

env LD_PRELOAD=/usr/local/lib/ apache2ctl start

enables Apache 2.2 to use the modern ciphers.

More information and documentation is available at

You can’t perform that action at this time.