openssl: config engines in /etc/ssl/engines.cnf.d
This changes the configuration of engines from the global openssl.cnf to files in the /etc/ssl/engines.cnf.d directory. The engines.cnf file has the list of enabled engines, while each engine has its own configuration file installed under /etc/ssl/engines.cnf.d. Patches were refreshed with --zero-commit. Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
This commit is contained in:
Eneas U de Queiroz
committed by
Petr Štetiar
Petr Štetiar
parent
aae7af4219
commit
17a6ca12d3
@@ -1,6 +1,17 @@
|
||||
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
||||
From: Eneas U de Queiroz <cotequeiroz@gmail.com>
|
||||
Date: Sat, 27 Mar 2021 17:43:25 -0300
|
||||
Subject: openssl.cnf: add engine configuration
|
||||
|
||||
This adds configuration options for engines, loading all cnf files under
|
||||
/etc/ssl/engines.d/.
|
||||
|
||||
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
|
||||
|
||||
diff --git a/apps/openssl.cnf b/apps/openssl.cnf
|
||||
--- a/apps/openssl.cnf
|
||||
+++ b/apps/openssl.cnf
|
||||
@@ -22,6 +22,99 @@ oid_section = new_oids
|
||||
@@ -22,6 +22,13 @@ oid_section = new_oids
|
||||
# (Alternatively, use a configuration file that has only
|
||||
# X.509v3 extensions in its main [= default] section.)
|
||||
|
||||
@@ -9,93 +20,7 @@
|
||||
+[openssl_conf]
|
||||
+engines=engines
|
||||
+
|
||||
+[engines]
|
||||
+# To enable an engine, install the package, and uncomment it here:
|
||||
+#devcrypto=devcrypto
|
||||
+#afalg=afalg
|
||||
+#padlock=padlock
|
||||
+##gost=gost
|
||||
+
|
||||
+[afalg]
|
||||
+# Leave this alone and configure algorithms with CIPERS/DIGESTS below
|
||||
+default_algorithms = ALL
|
||||
+
|
||||
+# The following commands are only available if using the alternative
|
||||
+# (sync) AFALG engine
|
||||
+# Configuration commands:
|
||||
+# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a
|
||||
+# list of supported algorithms, along with their driver, whether they
|
||||
+# are hw accelerated or not, and the engine's configuration commands.
|
||||
+
|
||||
+# USE_SOFTDRIVERS: specifies whether to use software (not accelerated)
|
||||
+# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use
|
||||
+# if acceleration can't be determined) [default=2]
|
||||
+#USE_SOFTDRIVERS = 2
|
||||
+
|
||||
+# CIPHERS: either ALL, NONE, NO_ECB (all except ECB-mode) or a
|
||||
+# comma-separated list of ciphers to enable [default=NO_ECB]
|
||||
+# Starting in 1.2.0, if you use a cipher list, each cipher may be
|
||||
+# followed by a colon (:) and the minimum request length to use
|
||||
+# AF_ALG drivers for that cipher; smaller requests are processed by
|
||||
+# softare; a negative value will use the default for that cipher
|
||||
+#CIPHERS=AES-128-CBC:1024, AES-256-CBC:768, DES-EDE3-CBC:0
|
||||
+
|
||||
+# DIGESTS: either ALL, NONE, or a comma-separated list of digests to
|
||||
+# enable [default=NONE]
|
||||
+# It is strongly recommended not to enable digests; their performance
|
||||
+# is poor, and there are many cases in which they will not work,
|
||||
+# especially when calling fork with open crypto contexts. Openssh,
|
||||
+# for example, does this, and you may not be able to login.
|
||||
+#DIGESTS = NONE
|
||||
+
|
||||
+[devcrypto]
|
||||
+# Leave this alone and configure algorithms with CIPERS/DIGESTS below
|
||||
+default_algorithms = ALL
|
||||
+
|
||||
+# Configuration commands:
|
||||
+# Run 'openssl engine -t -c -vv -pre DUMP_INFO devcrypto' to see a
|
||||
+# list of supported algorithms, along with their driver, whether they
|
||||
+# are hw accelerated or not, and the engine's configuration commands.
|
||||
+
|
||||
+# USE_SOFTDRIVERS: specifies whether to use software (not accelerated)
|
||||
+# drivers (0=use only accelerated drivers, 1=allow all drivers, 2=use
|
||||
+# if acceleration can't be determined) [default=2]
|
||||
+#USE_SOFTDRIVERS = 2
|
||||
+
|
||||
+# CIPHERS: either ALL, NONE, or a comma-separated list of ciphers to
|
||||
+# enable [default=ALL]
|
||||
+# It is recommended to disable the ECB ciphers; in most cases, it will
|
||||
+# only be used for PRNG, in small blocks, where performance is poor,
|
||||
+# and there may be problems with apps forking with open crypto
|
||||
+# contexts, leading to failures. The CBC ciphers work well:
|
||||
+#CIPHERS=DES-CBC, DES-EDE3-CBC, AES-128-CBC, AES-192-CBC, AES-256-CBC
|
||||
+
|
||||
+# DIGESTS: either ALL, NONE, or a comma-separated list of digests to
|
||||
+# enable [default=NONE]
|
||||
+# It is strongly recommended not to enable digests; their performance
|
||||
+# is poor, and there are many cases in which they will not work,
|
||||
+# especially when calling fork with open crypto contexts. Openssh,
|
||||
+# for example, does this, and you may not be able to login.
|
||||
+#DIGESTS = NONE
|
||||
+
|
||||
+[padlock]
|
||||
+default_algorithms = ALL
|
||||
+
|
||||
+[gost]
|
||||
+default_algorithms = ALL
|
||||
+# CRYPT_PARAMS: OID of default GOST 28147-89 parameters It allows the
|
||||
+# user to choose between different parameter sets of symmetric cipher
|
||||
+# algorithm. RFC 4357 specifies several parameters for the
|
||||
+# GOST 28147-89 algorithm, but OpenSSL doesn't provide user interface
|
||||
+# to choose one when encrypting. So use engine configuration parameter
|
||||
+# instead.
|
||||
+# Value of this parameter can be either short name, defined in OpenSSL
|
||||
+# obj_dat.h header file or numeric representation of OID, defined in
|
||||
+# RFC 4357. Defaults to id-tc26-gost-28147-param-Z
|
||||
+#CRYPT_PARAMS = id-tc26-gost-28147-param-Z
|
||||
+
|
||||
+# PBE_PARAMS: Shortname of default digest alg for PBE
|
||||
+#PBE_PARAMS =
|
||||
+.include /etc/ssl/engines.cnf.d
|
||||
+
|
||||
[ new_oids ]
|
||||
|
||||
|
||||
Reference in New Issue
Block a user