Correct location of openssl.cnf file
I have an Ubuntu system and I have installed OpenSSL. Now I want to make changes to the config file. I searched my folders and found the following locations for the config files. Which is the main/correct one that I should use to make changes? I need to add an engine here. Any help would be appreciated. Here are the locations:
/usr/local/ssl/openssl.cnf
/usr/lib/ssl/openssl.cnf
/etc/ssl/openssl.cnf
Solution 1:
/usr/local/ssl/openssl.cnf
This is a local installation. You downloaded and built OpenSSL taking the default prefix
, of you configured with ./config --prefix=/usr/local/ssl
or ./config --openssldir=/usr/local/ssl
.
You will use this if you use the OpenSSL in /usr/local/ssl/bin
. That is, /usr/local/ssl/openssl.cnf
will be used when you issue:
/usr/local/ssl/bin/openssl s_client -connect localhost:443 -tls1 -servername localhost
/usr/lib/ssl/openssl.cnf
This is where Ubuntu places openssl.cnf
for the OpenSSL they provide.
You will use this if you use the OpenSSL in /usr/bin
. That is, /usr/lib/ssl/openssl.cnf
will be used when you issue:
openssl s_client -connect localhost:443 -tls1 -servername localhost
/etc/ssl/openssl.cnf
I don't know when this is used. The stuff in /etc/ssl
is usually certificates and private keys, and it sometimes contains a copy of openssl.cnf
. But I've never seen it used for anything.
Which is the main/correct one that I should use to make changes?
From the sounds of it, you should probably add the engine to /usr/lib/ssl/openssl.cnf
. That ensures most "off the shelf" gear will use the new engine.
After you do that, add it to /usr/local/ssl/openssl.cnf
also because copy/paste is easy.
Here's how to see which openssl.cnf
directory is associated with a OpenSSL installation. The library and programs look for openssl.cnf
in OPENSSLDIR
. OPENSSLDIR
is a configure option, and its set with --openssldir
.
I'm on a MacBook with 3 different OpenSSL's (Apple's, MacPort's and the one I build):
# Apple
$ /usr/bin/openssl version -a | grep OPENSSLDIR
OPENSSLDIR: "/System/Library/OpenSSL"
# MacPorts
$ /opt/local/bin/openssl version -a | grep OPENSSLDIR
OPENSSLDIR: "/opt/local/etc/openssl"
# My build of OpenSSL
$ openssl version -a | grep OPENSSLDIR
OPENSSLDIR: "/usr/local/ssl/darwin"
I have an Ubuntu system and I have installed openssl.
Just bike shedding, but be careful of Ubuntu's version of OpenSSL. It disables TLSv1.1 and TLSv1.2, so you will only have clients capable of older cipher suites; and you will not be able to use newer ciphers like AES/CTR (to replace RC4) and elliptic curve gear (like ECDHE_ECDSA_*
and ECDHE_RSA_*
). See Ubuntu 12.04 LTS: OpenSSL downlevel version is 1.0.0, and does not support TLS 1.2 in Launchpad.
EDIT: Ubuntu enabled TLS 1.1 and TLS 1.2 recently. See Comment 17 on the bug report.
Solution 2:
RHEL: /etc/pki/tls/openssl.cnf
Solution 3:
/usr/local/ssl/openssl.cnf
is soft link of
/etc/ssl/openssl.cnf
You can see that using long list (ls -l) on the /usr/local/ssl/ directory where you will find
lrwxrwxrwx 1 root root 20 Mar 1 05:15 openssl.cnf -> /etc/ssl/openssl.cnf