Change TLS/SSL version and cypher parameters for Linux service using openssl library

Sometimes you need to change TLS/SSL parameters for a service using libssl library from openssl, but the service config does not accept that parameters. In this example, I had to change rsyslog forwarder parameters to send logs to the target that wasn’t playing nice with TLS 1.3 and modern encryption protocols.

libssl and applications using it take configuration parameters from configuration file set by environment variable OPENSSL_CONF or from default file /etc/ssl/openssl.cnf.

Openssl documentation is not the easiest one to read, but man 5ssl config and some googling got me what I wanted.


# This definition stops the following lines choking if HOME isn't
# defined.
HOME                    = .

openssl_conf = default_conf

ssl_conf = ssl_sect

system_default = system_default_sect

MaxProtocol = TLSv1.2



And finally applying the new configuration:

systemctl daemon-reload
systemctl restart rsyslog

License: This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License Share: share on reddit share on hacker news share on facebook share on twitter share on linkedin share on slashdot