prefer system crypto policy #215
Conversation
|
To summarize, it is easier for a sysadmin to alter a configuration than to change an hardcoded value in sources ;) |
|
More explanation about why this change is needed |
alejandro-colomar
requested review from
alejandro-colomar
and removed request for
igorsysoev
| if (conf->ciphers) { /* else use system crypto policy */ | ||
| if (SSL_CTX_set_cipher_list(ctx, conf->ciphers) == 0) { | ||
| nxt_openssl_log_error(task, NXT_LOG_ALERT, | ||
| "SSL_CTX_set_cipher_list(\"%s\") failed", | ||
| ciphers); | ||
| goto fail; | ||
| conf->ciphers); | ||
| goto fail; | ||
| } | ||
| } |
There was a problem hiding this comment.
Hi Remi!
Please detail in the commit message the mechanism by which system crypto policy is being used in the "else" case. Is it by not calling SSL_CTX_set_cipher_list(), or how?
There was a problem hiding this comment.
If you don't call SSL_CTX_set_cipher_list, then you use system default. The goal of this PR
|
If this PR is still necessary, please rebase it against the master branch. |
remicollet
force-pushed
the
issue-systempolicy
branch
from
41243ec to
d8b70ea
Compare
|
Rebased |
|
Looks good to me. Please include something like Thanks! |
|
BTW, it would also be nice if you add a changelog line into |
If you don't call SSL_CTX_set_cipher_list, then you use system default. Signed-off-by: Remi Collet <remi@remirepo.net>
remicollet
force-pushed
the
issue-systempolicy
branch
from
d8b70ea to
5125605
Compare
|
Great. I'll push it in a moment. Thanks! |
|
Merged. |
Mandatory for official repository
See
Perhaps better to have a configure option for this (like the --with-system-ciphers of PHP°