Change TLS/SSL version and cypher parameters for Linux service using openssl library

Sometimes you need to change TLS/SSL parameters for a service using libssl library from openssl, but the service config does not accept that parameters. In this example, I had to change rsyslog forwarder parameters to send logs to the target that wasn’t playing nice with TLS 1.3 and modern encryption protocols.

libssl and applications using it take configuration parameters from configuration file set by environment variable OPENSSL_CONF or from default file /etc/ssl/openssl.cnf.

Openssl documentation is not the easiest one to read, but man 5ssl config and some googling got me what I wanted.

/etc/ssl/openssl.no-tls13.cnf:

# This definition stops the following lines choking if HOME isn't
# defined.
HOME                    = .

openssl_conf = default_conf

[default_conf]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
MaxProtocol = TLSv1.2
CipherString = DEFAULT@SECLEVEL=1

/etc/systemd/system/rsyslog.service.d/override-openssl-params.conf:

[Service]
Environment="OPENSSL_CONF=/etc/ssl/openssl.cnf.no-tls13"

And finally applying the new configuration:

systemd daemon-reload
systemd restart rsyslog


License: This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License Share: share on reddit share on hacker news share on facebook share on twitter share on linkedin share on slashdot

No comments

You today

Comments are closed