openssl/openssl
Configuration (openssl.cnf)
The runtime configuration file is openssl.cnf. It is consulted by apps/openssl and (when OPENSSL_CONF is set or CONF_modules_load_file is called) by any application that uses libcrypto.
The parser lives in crypto/conf/; the openssl.cnf.in template ships in apps/.
File format
The format is INI-like: [sections], key = value, and .include /path/to/file directives. Section references work via name = $section_name, and environment-variable substitution via ${ENV::VAR}.
HOME = .
openssl_conf = openssl_init
[openssl_init]
providers = provider_sect
ssl_conf = ssl_sect
[provider_sect]
default = default_sect
[default_sect]
activate = 1Top-level sections
openssl_conf names a section that lists modules. The recognised module names:
providers— provider configuration (3.0+).engines— Engine configuration (legacy).oid_section— additional OIDs to register.ssl_conf—SSL_CTXdefaults applied automatically when a context is created (SSL_CTX_config(ctx, "name")).evp_properties— EVP default property string.random— DRBG selection and source.
Each module's section maps the symbolic name to a section that holds its configuration:
[openssl_init]
providers = provider_sect
ssl_conf = ssl_sect[providers]
Each entry maps a provider name to a section configuring it:
[provider_sect]
default = default_sect
fips = fips_sect
legacy = legacy_sect
[default_sect]
activate = 1
[fips_sect]
activate = 1
[legacy_sect]
activate = 1Recognised keys in a provider section:
activate = 1— load it.module = /path/to/foo.so— explicit module path. Defaults to looking up<name>.soin the configured provider search path.identity = name— override the provider's reported name (rarely needed).<key> = <value>— passed as anOSSL_PARAMto the provider's init.
For FIPS, the line .include /etc/ssl/fipsmodule.cnf brings in the module-specific MAC, version, and KAT status produced by openssl fipsinstall.
[ssl_conf] and friends
ssl_conf = ssl_sect declares that named SSL configurations live under [ssl_sect]. Each entry there is a name → section reference:
[ssl_sect]
server = server_sect
client = client_sect
[server_sect]
Protocol = -ALL,TLSv1.2,TLSv1.3
Ciphersuites = TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384
Groups = X25519MLKEM768:X25519:P-256
Options = ServerPreference,EnableMiddleBoxCompat
ChainCAFile = chain.pem
PrivateKey = key.pem
Certificate = cert.pemThe application calls SSL_CTX_config(ctx, "server") to apply the keys to ctx. The keys are handled by ssl/ssl_conf.c; the canonical list is in doc/man3/SSL_CONF_cmd.pod.
[evp_properties]
[openssl_init]
evp_properties = props_sect
[props_sect]
default_properties = ?fips=yesSets the libctx default property at startup. Most callers that want this set it programmatically with EVP_set_default_properties(libctx, "?fips=yes") instead.
[random]
Selects DRBG type and seed source:
[openssl_init]
random = random_sect
[random_sect]
random = CTR-DRBG
cipher = AES-256-CTR
digest = SHA2-512
seed = SEED-SRC
seed_properties =The same configuration drives RAND_set_DRBG_type etc.
[req] and friends (CLI subcommand defaults)
apps/openssl req, ca, x509, verify, s_client, s_server, cms, pkcs12, cmp, etc. all read named sections from openssl.cnf. The default config that ships in apps/openssl.cnf.in is dense with examples for each.
The most commonly customised:
| Section | Used by |
|---|---|
[ca] |
openssl ca |
[CA_default] |
openssl ca (the default CA profile) |
[req] |
openssl req |
[ usr_cert ] |
openssl ca cert extensions for end-entity certs |
[ v3_ca ] |
extensions for self-signed CAs |
[ tsa ] |
openssl ts |
Precedence
When both code and config set the same parameter, the last setter wins. Calling SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION) after SSL_CTX_config(ctx, "server") overrides the config's MinProtocol.
Environment variable overrides
| Variable | Effect |
|---|---|
OPENSSL_CONF |
Path to the config file. Default: built-in (<install>/openssl.cnf). |
OPENSSL_CONF_INCLUDE |
Path searched for .include directives. |
OPENSSL_MODULES |
Default provider search path. |
OPENSSL_ENGINES |
Default Engine search path. |
SSL_CERT_DIR |
Default trust-store directory. |
SSL_CERT_FILE |
Default trust-store bundle file. |
OPENSSL_TRACE |
Trace categories (see how-to-contribute/debugging). |
OPENSSL_TRACE_FILE |
Trace destination. |
RANDFILE |
DRBG state file. |
OPENSSL_FIPS_VENDOR |
Override the FIPS provider's vendor identification. |
SSL_QLOG_DIR |
qlog output dir for QUIC. |
The full list is in doc/man7/openssl-env.pod.
Useful documentation
doc/man5/config.pod— the format.doc/man5/x509v3_config.pod— the v3 extension config syntax used by[v3_ca]etc.doc/man5/fips_config.pod—[fips_sect]andfipsmodule.cnf.doc/man3/SSL_CONF_cmd.pod— the[ssl_sect]keys.doc/man7/openssl-env.pod— env-var overrides.
Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.