SSL_CTX_config¶

NAME¶

SSL_CTX_config, SSL_config - configure SSL_CTX or SSL structure

SYNOPSIS¶

#include <openssl/ssl.h>

int SSL_CTX_config(SSL_CTX *ctx, const char *name);
int SSL_config(SSL *s, const char *name);

DESCRIPTION¶

The functions SSL_CTX_config() and SSL_config() apply additional configuration settings to an SSL_CTX or SSL structure using the configuration name. The name must match a parameter in the configuration file's ssl module section, whose value is the name of another section with SSL configuration commands. See SSL_CONF_cmd(3) for a description of the available commands.

By calling SSL_CTX_config() or SSL_config() an application can perform many complex tasks based on the contents of the configuration file: greatly simplifying application configuration code. Some future-proofing can be attained this way: the specified configuration section can specify settings supported by the run-time version of OpenSSL that were not known at the time the application code was written.

A configuration file must have been previously loaded, for example using CONF_modules_load_file(3). See config(5) for details of the configuration file syntax. In most applications the default openssl.cnf file is loaded automatically as part of library initialisation.

RETURN VALUES¶

SSL_CTX_config() and SSL_config() return 1 for success or 0 if an error occurred.

EXAMPLES¶

If, for example, the loaded configuration file contains the following:

# Top level "default" section, if no application name was specified as part
# initialisation, it defaults to "openssl_conf".
openssl_conf = openssl_init

[openssl_init]
# SSL module initialisation
ssl_conf = ssl_init

[ssl_init]
system_default = default_ssl_settings
tweaks_for_tls12 = tls12_custom_settings
tweaks_for_tls13 = tls13_custom_settings

[default_ssl_settings]
MinProtocol = TLSv1.2
# Defaults are typically the wisest choice, override only with good cause.
MinProtocol = ...
Ciphers = ...
Groups = ...
SignatureAlgorithms = ...

[tls12_custom_settings]
# Defaults are typically the wisest choice, override only with good cause.
MaxProtocol = TLSv1.2
...

[tls13_custom_settings]
# Defaults are typically the wisest choice, override only with good cause.
MinProtocol = TLSv1.3
...

An application that wants to only use "TLS 1.2" might call:

/* Initialised per "system_default" settings */
if ((ctx = SSL_CTX_new(TLS_server_method())) == NULL) {
    fprintf(stderr, "Error creating the SSL context.\n");
    goto err;
}

/*
 * Further tweaks per the "ssl" module "tweaks_for_tls12" setting, i.e. the
 * configuration file's "tls12_custom_settings" section.
 */
if (SSL_CTX_config(ctx, "tweaks_for_tls12") == 0) {
    fprintf(stderr, "Error applying 'tweaks_for_tls12' context configuration.\n");
    goto err;
}

The setting of the protocol version ceiling and any other settings relevant to TLS 1.2 are in the configuration file, and don't need to be hard-coded in the application. Similarly, using tweaks_for_tls13 as the configuration name applies the corresponding settings from the "tls13_custom_settings" section (per the SSL module tweaks_for_tls13 parameter).

SEE ALSO¶

ssl(7), config(5), SSL_CONF_cmd(3), SSL_CTX_new(3), CONF_modules_load_file(3), OPENSSL_init_ssl(3)

HISTORY¶

The SSL_CTX_config() and SSL_config() functions were added in OpenSSL 1.1.0.

COPYRIGHT¶

Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.

Licensed under the Apache License 2.0 (the "License"). You may not use this file except in compliance with the License. You can obtain a copy in the file LICENSE in the source distribution or at https://www.openssl.org/source/license.html.