sfackler
commented
2 years ago If you're using OpenSSL specifically you may want to look into using the openssl crate directly which would give you full control over the configuration.
Closed jadamcrain closed 2 years ago
sfackler
commented
2 years ago If you're using OpenSSL specifically you may want to look into using the openssl crate directly which would give you full control over the configuration.
jadamcrain
commented
2 years ago Unfortunately, we have a lot of investment already in both reqwest and axum which use either rustls or native-tls. I'm exploring adding the CCM modes to rustls in parallel.
jadamcrain
commented
2 years ago FYI, the easiest path forward was to build a custom version of openssl until we can get CCM into rustls:
This can be done in openssl by editing include/openssl/ssl.h
changing:
# define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL"to
# define SSL_DEFAULT_CIPHER_LIST "ALL:-COMPLEMENTOFDEFAULT:!eNULL:ECDHE-ECDSA-AES128-CCM8"
I am implementing a standard that requires that both sides support
TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8. These ciphers are in OpenSSL, but are disabled by default.I see that #4 has kind of stalled.
Is there any way that you're aware to set the default cipher list when using the openssl library via environment variable?
I've tried via the openssl config file
/etc/ssl/openssl.cnfbut that seems to get ignored... perhaps it only pertains to the openssl cli?