On 2/3/19 11:40 AM, Achim Gratz via devel wrote: > Richard Laager via devel writes: >> On 2/2/19 3:08 AM, Achim Gratz via devel wrote: >>> Changing the OpenSSL ciphersuites is typically done on system-level, >>> application-level is not unheard of, but I haven't personally seen a >>> per-server configuration. >> >> I strongly disagree. This is absolutely, 100% commonly done at the >> application level. I have spent many, many hours doing this on systems >> I've built myself and on canned appliance-type things like cPanel. > > Where in the above sentence did I say that it was _not_ done at the > application level? Or do you disagree that I _personally_ haven't seen > it done for single servers (either on system or application level)?
I was disagreeing with "typically done on system level". I think it's typically done at the application level. I've seen a ton of tutorials for doing it at the application level, and zero for doing it system-wide. Also, as I mentioned, cPanel does this at the application level, even though it would be in a perfect position to set it system-wide, even if it was the management layer duplicating it out to every daemon. I've never seen it done at the system level. I wasn't even aware it was possible to adjust the ciphers list system-wide (short of maybe recompiling OpenSSL). Apparently this is new, in OpenSSL 1.1.1: https://github.com/openssl/openssl/pull/4848 -- Richard _______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
