openssl.cnf 文件的正确位置 [英] Correct location of openssl.cnf file
问题描述
我有一个 Ubuntu 系统并且我已经安装了 OpenSSL.现在我想对配置文件进行更改.我搜索了我的文件夹并找到了配置文件的以下位置.哪个是我应该用来进行更改的主要/正确的?我需要在这里添加一个引擎.任何帮助,将不胜感激.地点如下:
/usr/local/ssl/openssl.cnf/usr/lib/ssl/openssl.cnf/etc/ssl/openssl.cnf/usr/local/ssl/openssl.cnf
这是本地安装.您使用默认的 prefix 下载并构建了 OpenSSL,其中配置了 ./config --prefix=/usr/local/ssl 或 ./config --openssldir=/usr/local/ssl.
如果您使用/usr/local/ssl/bin 中的OpenSSL,您将使用这个.也就是说,/usr/local/ssl/openssl.cnf 会在你发出时使用:
/usr/local/ssl/bin/openssl s_client -connect localhost:443 -tls1 -servername localhost<块引用>
/usr/lib/ssl/openssl.cnf
这是 Ubuntu 为他们提供的 OpenSSL 放置 openssl.cnf 的地方.
如果您在 /usr/bin 中使用 OpenSSL,您将使用它.也就是说,/usr/lib/ssl/openssl.cnf 会在你发出时使用:
openssl s_client -connect localhost:443 -tls1 -servername localhost<块引用>
/etc/ssl/openssl.cnf
不知道什么时候用./etc/ssl 中的内容通常是证书和私钥,有时还包含openssl.cnf 的副本.但我从未见过它用于任何用途.
<块引用>
我应该使用哪个主要/正确的来进行更改?
从它的声音来看,您可能应该将引擎添加到/usr/lib/ssl/openssl.cnf.这确保了大多数现成的"齿轮将使用新引擎.
完成后,将其添加到 /usr/local/ssl/openssl.cnf 也是因为复制/粘贴很容易.
以下是查看与 OpenSSL 安装相关联的 openssl.cnf 目录的方法.库和程序在 OPENSSLDIR 中查找 openssl.cnf.OPENSSLDIR 是一个配置选项,它用 --openssldir 设置.
我在 MacBook 上使用 3 个不同的 OpenSSL(Apple 的、MacPort 的和我构建的):
# 苹果$/usr/bin/openssl 版本 -a |grep OPENSSLDIROPENSSLDIR:/系统/库/OpenSSL";# MacPorts$/opt/local/bin/openssl 版本 -a |grep OPENSSLDIROPENSSLDIR:/opt/local/etc/openssl";# 我的 OpenSSL 构建$ openssl 版本 -a |grep OPENSSLDIROPENSSLDIR:/usr/local/ssl/darwin"<块引用>
我有一个 Ubuntu 系统并且我已经安装了 openssl.
只是自行车脱落,但要小心 Ubuntu 的 OpenSSL 版本.它禁用了 TLSv1.1 和 TLSv1.2,因此您将只有能够使用旧密码套件的客户端;并且您将无法使用更新的密码,例如 AES/CTR(替换 RC4)和椭圆曲线齿轮(例如 ECDHE_ECDSA_* 和 ECDHE_RSA_*).参见 Ubuntu 12.04 LTS:OpenSSL 下层版本为 1.0.0,不支持Launchpad 中的 TLS 1.2.
编辑:Ubuntu 最近启用了 TLS 1.1 和 TLS 1.2.请参阅关于错误报告的评论 17.
I have an Ubuntu system and I have installed OpenSSL. Now I want to make changes to the config file. I searched my folders and found the following locations for the config files. Which is the main/correct one that I should use to make changes? I need to add an engine here. Any help would be appreciated. Here are the locations:
/usr/local/ssl/openssl.cnf
/usr/lib/ssl/openssl.cnf
/etc/ssl/openssl.cnf
/usr/local/ssl/openssl.cnf
This is a local installation. You downloaded and built OpenSSL taking the default prefix, of you configured with ./config --prefix=/usr/local/ssl or ./config --openssldir=/usr/local/ssl.
You will use this if you use the OpenSSL in /usr/local/ssl/bin. That is, /usr/local/ssl/openssl.cnf will be used when you issue:
/usr/local/ssl/bin/openssl s_client -connect localhost:443 -tls1 -servername localhost
/usr/lib/ssl/openssl.cnf
This is where Ubuntu places openssl.cnf for the OpenSSL they provide.
You will use this if you use the OpenSSL in /usr/bin. That is, /usr/lib/ssl/openssl.cnf will be used when you issue:
openssl s_client -connect localhost:443 -tls1 -servername localhost
/etc/ssl/openssl.cnf
I don't know when this is used. The stuff in /etc/ssl is usually certificates and private keys, and it sometimes contains a copy of openssl.cnf. But I've never seen it used for anything.
Which is the main/correct one that I should use to make changes?
From the sounds of it, you should probably add the engine to /usr/lib/ssl/openssl.cnf. That ensures most "off the shelf" gear will use the new engine.
After you do that, add it to /usr/local/ssl/openssl.cnf also because copy/paste is easy.
Here's how to see which openssl.cnf directory is associated with a OpenSSL installation. The library and programs look for openssl.cnf in OPENSSLDIR. OPENSSLDIR is a configure option, and its set with --openssldir.
I'm on a MacBook with 3 different OpenSSL's (Apple's, MacPort's and the one I build):
# Apple
$ /usr/bin/openssl version -a | grep OPENSSLDIR
OPENSSLDIR: "/System/Library/OpenSSL"
# MacPorts
$ /opt/local/bin/openssl version -a | grep OPENSSLDIR
OPENSSLDIR: "/opt/local/etc/openssl"
# My build of OpenSSL
$ openssl version -a | grep OPENSSLDIR
OPENSSLDIR: "/usr/local/ssl/darwin"
I have an Ubuntu system and I have installed openssl.
Just bike shedding, but be careful of Ubuntu's version of OpenSSL. It disables TLSv1.1 and TLSv1.2, so you will only have clients capable of older cipher suites; and you will not be able to use newer ciphers like AES/CTR (to replace RC4) and elliptic curve gear (like ECDHE_ECDSA_* and ECDHE_RSA_*). See Ubuntu 12.04 LTS: OpenSSL downlevel version is 1.0.0, and does not support TLS 1.2 in Launchpad.
EDIT: Ubuntu enabled TLS 1.1 and TLS 1.2 recently. See Comment 17 on the bug report.
这篇关于openssl.cnf 文件的正确位置的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
