Implementing NTS options
Richard Laager
rlaager at wiktel.com
Sun Feb 3 21:28:26 UTC 2019
On 2/3/19 11:40 AM, Achim Gratz via devel wrote:
> Richard Laager via devel writes:
>> On 2/2/19 3:08 AM, Achim Gratz via devel wrote:
>>> Changing the OpenSSL ciphersuites is typically done on system-level,
>>> application-level is not unheard of, but I haven't personally seen a
>>> per-server configuration.
>>
>> I strongly disagree. This is absolutely, 100% commonly done at the
>> application level. I have spent many, many hours doing this on systems
>> I've built myself and on canned appliance-type things like cPanel.
>
> Where in the above sentence did I say that it was _not_ done at the
> application level? Or do you disagree that I _personally_ haven't seen
> it done for single servers (either on system or application level)?
I was disagreeing with "typically done on system level". I think it's
typically done at the application level. I've seen a ton of tutorials
for doing it at the application level, and zero for doing it
system-wide. Also, as I mentioned, cPanel does this at the application
level, even though it would be in a perfect position to set it
system-wide, even if it was the management layer duplicating it out to
every daemon.
I've never seen it done at the system level. I wasn't even aware it was
possible to adjust the ciphers list system-wide (short of maybe
recompiling OpenSSL). Apparently this is new, in OpenSSL 1.1.1:
https://github.com/openssl/openssl/pull/4848
--
Richard
More information about the devel
mailing list