mirror of
https://github.com/openssl/openssl.git
synced 2024-12-21 06:09:35 +08:00
92c03668c0
The change to a more configuration based approach to enable FIPS mode operation highlights a shortcoming in the default should do something approach we've taken for bad configuration files. Currently, a bad configuration file will be automatically loaded and once the badness is detected, it will silently stop processing the configuration and continue normal operations. This is good for remote servers, allowing changes to be made without bricking things. It's bad when a user thinks they've configured what they want but got something wrong and it still appears to work. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/16171)
28 lines
622 B
INI
28 lines
622 B
INI
# Example config module configuration
|
|
|
|
# Name supplied by application to CONF_modules_load_file
|
|
# and section containing configuration
|
|
testapp = test_sect
|
|
|
|
# Comment out the next line to ignore configuration errors
|
|
config_diagnostics = 1
|
|
|
|
[test_sect]
|
|
# list of configuration modules
|
|
|
|
# SSL configuration module
|
|
ssl_conf = ssl_sect
|
|
|
|
[ssl_sect]
|
|
# list of SSL configurations
|
|
server = server_sect
|
|
|
|
[server_sect]
|
|
# Only support 3 curves
|
|
Curves = P-521:P-384:P-256
|
|
# Restricted signature algorithms
|
|
SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512
|
|
# Certificates and keys
|
|
RSA.Certificate=server.pem
|
|
ECDSA.Certificate=server-ec.pem
|