summaryrefslogtreecommitdiffstats
path: root/demos
diff options
context:
space:
mode:
authorPauli <pauli@openssl.org>2021-07-29 01:55:09 +0200
committerPauli <pauli@openssl.org>2021-08-04 00:15:14 +0200
commit92c03668c0cd77434006b613e3429888a0a8ecfe (patch)
treeef15d575c88ddc3ec5f88c7696849419012fcfe3 /demos
parentIf we have passed the private key, don't copy it implicitly (diff)
downloadopenssl-92c03668c0cd77434006b613e3429888a0a8ecfe.tar.xz
openssl-92c03668c0cd77434006b613e3429888a0a8ecfe.zip
Add config_diagnostics to our configuration files.
The change to a more configuration based approach to enable FIPS mode operation highlights a shortcoming in the default should do something approach we've taken for bad configuration files. Currently, a bad configuration file will be automatically loaded and once the badness is detected, it will silently stop processing the configuration and continue normal operations. This is good for remote servers, allowing changes to be made without bricking things. It's bad when a user thinks they've configured what they want but got something wrong and it still appears to work. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/16171)
Diffstat (limited to 'demos')
-rw-r--r--demos/bio/accept.cnf6
-rw-r--r--demos/bio/cmod.cnf3
-rw-r--r--demos/bio/connect.cnf6
-rw-r--r--demos/certs/apps/apps.cnf4
-rw-r--r--demos/certs/ca.cnf3
5 files changed, 22 insertions, 0 deletions
diff --git a/demos/bio/accept.cnf b/demos/bio/accept.cnf
index cb0cefba75..ce36678ee9 100644
--- a/demos/bio/accept.cnf
+++ b/demos/bio/accept.cnf
@@ -1,10 +1,16 @@
# Example configuration file
+
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
# Port to listen on
Port = 4433
+
# Disable TLS v1.2 for test.
# Protocol = ALL, -TLSv1.2
# Only support 3 curves
Curves = P-521:P-384:P-256
+
# Restricted signature algorithms
SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512
Certificate=server.pem
diff --git a/demos/bio/cmod.cnf b/demos/bio/cmod.cnf
index 39ac54edd9..df514dba79 100644
--- a/demos/bio/cmod.cnf
+++ b/demos/bio/cmod.cnf
@@ -4,6 +4,9 @@
# and section containing configuration
testapp = test_sect
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
[test_sect]
# list of configuration modules
diff --git a/demos/bio/connect.cnf b/demos/bio/connect.cnf
index ab764403a4..0049a77b2d 100644
--- a/demos/bio/connect.cnf
+++ b/demos/bio/connect.cnf
@@ -1,9 +1,15 @@
# Example configuration file
+
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
# Connects to the default port of s_server
Connect = localhost:4433
+
# Disable TLS v1.2 for test.
# Protocol = ALL, -TLSv1.2
# Only support 3 curves
Curves = P-521:P-384:P-256
+
# Restricted signature algorithms
SignatureAlgorithms = RSA+SHA512:ECDSA+SHA512
diff --git a/demos/certs/apps/apps.cnf b/demos/certs/apps/apps.cnf
index 07a3d10b55..72ed70de75 100644
--- a/demos/certs/apps/apps.cnf
+++ b/demos/certs/apps/apps.cnf
@@ -7,6 +7,10 @@
HOME = .
CN = "Not Defined"
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
+
####################################################################
[ req ]
default_bits = 2048
diff --git a/demos/certs/ca.cnf b/demos/certs/ca.cnf
index 2fbf20490b..e0c73c4eef 100644
--- a/demos/certs/ca.cnf
+++ b/demos/certs/ca.cnf
@@ -8,6 +8,9 @@ HOME = .
CN = "Not Defined"
default_ca = ca
+# Comment out the next line to ignore configuration errors
+config_diagnostics = 1
+
####################################################################
[ req ]
default_bits = 1024