New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Configurable loading of OpenSSL configuration file #2724

Closed
phlipsi opened this Issue Jul 9, 2018 · 2 comments

Comments

Projects
None yet
2 participants
@phlipsi

phlipsi commented Jul 9, 2018

The libcurl library calls the OpenSSL function CONF_modules_load_file() in openssl.c, Curl_ossl_init(). This is obviously a good idea for freely configurable clients like curl in order to allow the users to tweak the underlying OpenSSL configuration. In our case this is rather undesirable: Our client is tightly coupled with a fixed server with a given TLS-configuration. We regard any changes in the OpenSSL configuration as a security risk or at least as unnecessary.

Feature-Request: Please add a configuration switch or something similar to disable the CONF_modules_load_file() call.

@bagder

This comment has been minimized.

Member

bagder commented Jul 9, 2018

Thanks, but this description sounds as if you're asking for a new feature/change. We use this tracker for bugs and issues only, we put ideas to work on in the future in the TODO document. We basically drown in good ideas so they don't do much use in our tracker.

If you really want to see this happen, start working on an implementation and submit a PR for it or join the mailing list and talk up more interest for it and see what help from others you can get!

@phlipsi

This comment has been minimized.

phlipsi commented Jul 9, 2018

That sounds quite understandable and fair. Thank you for your explanation!

@bagder bagder closed this in d3bd7cb Jul 10, 2018

pwaehnert added a commit to pwaehnert/curl that referenced this issue Jul 25, 2018

openssl: adds config option to disable automatic OpenSSL config loading
Sometimes it may be considered a security risk to load an external OpenSSL
configuration automatically inside curl_global_init(). The configuration
option --disable-ssl-auto-load-config disables this automatism. The Windows
build scripts winbuild/Makefile.vs provide a corresponding option
ENABLE_SSL_AUTO_LOAD_CONFIG accepting a boolean value.

Setting neither of these options corresponds to the previous behavior loading
the external OpenSSL configuration automatically.

Implements feature request curl#2724

pwaehnert added a commit to pwaehnert/curl that referenced this issue Jul 25, 2018

openssl: adds config option to disable automatic OpenSSL config loading
Sometimes it may be considered a security risk to load an external
OpenSSL configuration automatically inside curl_global_init(). The
configuration option --disable-ssl-auto-load-config disables this
automatism. The Windows build scripts winbuild/Makefile.vs provide a
corresponding option ENABLE_SSL_AUTO_LOAD_CONFIG accepting a boolean
value.

Setting neither of these options corresponds to the previous behavior
loading the external OpenSSL configuration automatically.

Implements feature request curl#2724

bagder added a commit that referenced this issue Sep 7, 2018

configure: add option to disable automatic OpenSSL config loading
Sometimes it may be considered a security risk to load an external
OpenSSL configuration automatically inside curl_global_init(). The
configuration option --disable-ssl-auto-load-config disables this
automatism. The Windows build scripts winbuild/Makefile.vs provide a
corresponding option ENABLE_SSL_AUTO_LOAD_CONFIG accepting a boolean
value.

Setting neither of these options corresponds to the previous behavior
loading the external OpenSSL configuration automatically.

Fixes #2724
Closes #2791

falconindy added a commit to falconindy/curl that referenced this issue Sep 10, 2018

falconindy added a commit to falconindy/curl that referenced this issue Sep 10, 2018

configure: add option to disable automatic OpenSSL config loading
Sometimes it may be considered a security risk to load an external
OpenSSL configuration automatically inside curl_global_init(). The
configuration option --disable-ssl-auto-load-config disables this
automatism. The Windows build scripts winbuild/Makefile.vs provide a
corresponding option ENABLE_SSL_AUTO_LOAD_CONFIG accepting a boolean
value.

Setting neither of these options corresponds to the previous behavior
loading the external OpenSSL configuration automatically.

Fixes curl#2724
Closes curl#2791

@lock lock bot locked as resolved and limited conversation to collaborators Oct 8, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.