Menu
I have an Ubuntu system and I have installed OpenSSL. Now I want to make changes to the config file. I searched my folders and found the following locations for the config files. Which is the main/correct one that I should use to make changes? I need to add an engine here. Any help would be appreciated. Here are the locations:
/usr/local/ssl/openssl.cnf /usr/lib/ssl/openssl.cnf /etc/ssl/openssl.cnf 
290
: The file openssl. cnf already exists on your server when you compile and install the OpenSSL program, and can be found under the /etc/ssl/ directory.
OpenSSL for Windows has now been installed and can be found as OpenSSL.exe in C:\OpenSSL-Win32\bin\.
The openssl. cnf file is primarily used to set default values for the CA function, key sizes for generating new key pairs, and similar configuration. Consult the OpenSSL documentation available at openssl.org for more information.
RHEL: /etc/pki/tls/openssl.cnf
127
/usr/local/ssl/openssl.cnf
This is a local installation. You downloaded and built OpenSSL taking the default prefix, of you configured with ./config --prefix=/usr/local/ssl or ./config --openssldir=/usr/local/ssl.
You will use this if you use the OpenSSL in /usr/local/ssl/bin. That is, /usr/local/ssl/openssl.cnf will be used when you issue:
/usr/local/ssl/bin/openssl s_client -connect localhost:443 -tls1 -servername localhost /usr/lib/ssl/openssl.cnf
This is where Ubuntu places openssl.cnf for the OpenSSL they provide.
You will use this if you use the OpenSSL in /usr/bin. That is, /usr/lib/ssl/openssl.cnf will be used when you issue:
openssl s_client -connect localhost:443 -tls1 -servername localhost /etc/ssl/openssl.cnf
I don't know when this is used. The stuff in /etc/ssl is usually certificates and private keys, and it sometimes contains a copy of openssl.cnf. But I've never seen it used for anything.
Which is the main/correct one that I should use to make changes?
From the sounds of it, you should probably add the engine to /usr/lib/ssl/openssl.cnf. That ensures most "off the shelf" gear will use the new engine.
After you do that, add it to /usr/local/ssl/openssl.cnf also because copy/paste is easy.
Here's how to see which openssl.cnf directory is associated with a OpenSSL installation. The library and programs look for openssl.cnf in OPENSSLDIR. OPENSSLDIR is a configure option, and its set with --openssldir.
I'm on a MacBook with 3 different OpenSSL's (Apple's, MacPort's and the one I build):
# Apple $ /usr/bin/openssl version -a | grep OPENSSLDIR OPENSSLDIR: "/System/Library/OpenSSL" # MacPorts $ /opt/local/bin/openssl version -a | grep OPENSSLDIR OPENSSLDIR: "/opt/local/etc/openssl" # My build of OpenSSL $ openssl version -a | grep OPENSSLDIR OPENSSLDIR: "/usr/local/ssl/darwin" I have an Ubuntu system and I have installed openssl.
Just bike shedding, but be careful of Ubuntu's version of OpenSSL. It disables TLSv1.1 and TLSv1.2, so you will only have clients capable of older cipher suites; and you will not be able to use newer ciphers like AES/CTR (to replace RC4) and elliptic curve gear (like ECDHE_ECDSA_* and ECDHE_RSA_*). See Ubuntu 12.04 LTS: OpenSSL downlevel version is 1.0.0, and does not support TLS 1.2 in Launchpad.
EDIT: Ubuntu enabled TLS 1.1 and TLS 1.2 recently. See Comment 17 on the bug report.
30
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
