Does the OpenSSL library automatically use openssl.cnf

Question

We are looking at implementing secure sockets in our c++ application using the OpenSSL library. We'd like to use the openssl.cnf file to set which ciphers are acceptable to use. We've looked at the documentation and other posts regarding OpenSSL but we are still unsure whether the OpenSSL library automatically uses the settings in the openssl.cnf file or whether we need to write code to read in the values from openssl.cnf and set the values in the library. Could we get some clarification on this ?

If the OpenSSL library automatically uses the settings how does it find the openssl.cnf file if you choose not to use the OPENSSL_CONF environment variable ? For instance, is it possible to set the location of the openssl.cnf in C++ code or is there any other way to configure where the openssl.cnf file is located for a specific application?

Answer 1

The config file is always loaded by default for all OpenSSL based applications as of OpenSSL 3.0 (for the default library context). Here is the relevant CHANGES entry:

https://github.com/openssl/openssl/blob/97446da7e05bd7164f5c36b68b8bef13a63e06a5/CHANGES.md?plain=1#L1819-L1824

The config file is loaded by default for libssl based applications only as of OpenSSL 1.1.1. Here is the relevant CHANGES entry:

https://github.com/openssl/openssl/blob/97446da7e05bd7164f5c36b68b8bef13a63e06a5/CHANGES.md?plain=1#L2942-L2944

For versions of OpenSSL older than 1.1.1 you have to explicitly load the config file.

If the OPENSSL_CONF environment variable is set then it will use that location in preference. If it is not set then it will load it from OPENSSL_DIR/openssl.cnf where OPENSSL_DIR is defined at compile time. The value of OPENSSL_DIR for your particular build of OpenSSL can be determined via openssl version -d. For me that is:

$ openssl version -d
OPENSSLDIR: "/usr/lib/ssl"

You can choose to load the config file programmatically if you wish. If you do that then it should probably be the first thing you do with OpenSSL (otherwise it might load it automatically anyway). For OpenSSL 3.0 you can use OSSL_LIB_CTX_load_config for this:

https://www.openssl.org/docs/man3.0/man3/OSSL_LIB_CTX_load_config.html

You can also use this function to load a config file for a non-default library context.

For older versions of OpenSSL you can load a config file via the CONF_modules_load_file function. You can also do this with 3.0 but OSSL_LIB_CTX_load_config is the preferred way.

https://www.openssl.org/docs/man3.0/man3/CONF_modules_load_file.html