> Does the openssl library not read the config file thereby enforcing what is > available to all applications that use the openssl library?
No it does not. > What behaviour exists within the openssl library when it is built and > configured with options to disable certain protocols or ciphers that could not > be duplicated with runtime configuration options? Many things. Making a list of be an interesting and useful exercise, but nobody's ever done it. > If this behaviour is not possible in openssl, I'm now wondering how feasible > it > would be to interpose a library to intercept openssl calls and modify > application requests for protocols or ciphers. It would be highly platform specific, but it is fairly feasible. It won't catch everything. For example, an application could set the mode bits directly (we've seen it), rather than call SSL_ctrl(). The safest code is that which doesn't exist. #ifdef is a better defense, if you can afford it (some can't use it because they need runtime behavior control). -- Principal Security Engineer, Akamai Technologies IM: rs...@jabber.me Twitter: RichSalz ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
