diff options
| author | Pauli <pauli@openssl.org> | 2021-07-29 09:55:09 +1000 |
|---|---|---|
| committer | Pauli <pauli@openssl.org> | 2021-08-04 08:15:14 +1000 |
| commit | 92c03668c0cd77434006b613e3429888a0a8ecfe (patch) | |
| tree | ef15d575c88ddc3ec5f88c7696849419012fcfe3 /demos | |
| parent | 6b38d7dc1bccc708279ca5091ebc28cd4bdf225d (diff) | |
| download | openssl-92c03668c0cd77434006b613e3429888a0a8ecfe.zip openssl-92c03668c0cd77434006b613e3429888a0a8ecfe.tar.gz openssl-92c03668c0cd77434006b613e3429888a0a8ecfe.tar.bz2 | |
Add config_diagnostics to our configuration files.
The change to a more configuration based approach to enable FIPS mode
operation highlights a shortcoming in the default should do something
approach we've taken for bad configuration files.
Currently, a bad configuration file will be automatically loaded and
once the badness is detected, it will silently stop processing the
configuration and continue normal operations. This is good for remote
servers, allowing changes to be made without bricking things. It's bad
when a user thinks they've configured what they want but got something
wrong and it still appears to work.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/16171)
Diffstat (limited to 'demos')
| -rw-r--r-- | demos/bio/accept.cnf | 6 | ||||
| -rw-r--r-- | demos/bio/cmod.cnf | 3 | ||||
| -rw-r--r-- | demos/bio/connect.cnf | 6 | ||||
| -rw-r--r-- | demos/certs/apps/apps.cnf | 4 | ||||
| -rw-r--r-- | demos/certs/ca.cnf | 3 |
5 files changed, 22 insertions, 0 deletions
diff --git a/demos/bio/accept.cnf b/demos/bio/accept.cnf index cb0cefb..ce36678 100644 --- a/demos/bio/accept.cnf +++ b/demos/bio/accept.cnf @@ -1,10 +1,16 @@ # Example configuration file + +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + # Port to listen on Port = 4433 + # Disable TLS v1.2 for test. # Protocol = ALL, -TLSv1.2 # Only support 3 curves Curves = P-521:P-384:P-256 + # Restricted signature algorithms SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512 Certificate=server.pem diff --git a/demos/bio/cmod.cnf b/demos/bio/cmod.cnf index 39ac54e..df514db 100644 --- a/demos/bio/cmod.cnf +++ b/demos/bio/cmod.cnf @@ -4,6 +4,9 @@ # and section containing configuration testapp = test_sect +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + [test_sect] # list of configuration modules diff --git a/demos/bio/connect.cnf b/demos/bio/connect.cnf index ab76440..0049a77 100644 --- a/demos/bio/connect.cnf +++ b/demos/bio/connect.cnf @@ -1,9 +1,15 @@ # Example configuration file + +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + # Connects to the default port of s_server Connect = localhost:4433 + # Disable TLS v1.2 for test. # Protocol = ALL, -TLSv1.2 # Only support 3 curves Curves = P-521:P-384:P-256 + # Restricted signature algorithms SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512 diff --git a/demos/certs/apps/apps.cnf b/demos/certs/apps/apps.cnf index 07a3d10..72ed70d 100644 --- a/demos/certs/apps/apps.cnf +++ b/demos/certs/apps/apps.cnf @@ -7,6 +7,10 @@ HOME = . CN = "Not Defined" +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + + #################################################################### [ req ] default_bits = 2048 diff --git a/demos/certs/ca.cnf b/demos/certs/ca.cnf index 2fbf204..e0c73c4 100644 --- a/demos/certs/ca.cnf +++ b/demos/certs/ca.cnf @@ -8,6 +8,9 @@ HOME = . CN = "Not Defined" default_ca = ca +# Comment out the next line to ignore configuration errors +config_diagnostics = 1 + #################################################################### [ req ] default_bits = 1024 |