Open-Source Wikis

/

OpenSSL

/

Reference

/

Configuration (`openssl.cnf`)

openssl/openssl

Configuration (openssl.cnf)

The runtime configuration file is openssl.cnf. It is consulted by apps/openssl and (when OPENSSL_CONF is set or CONF_modules_load_file is called) by any application that uses libcrypto.

The parser lives in crypto/conf/; the openssl.cnf.in template ships in apps/.

File format

The format is INI-like: [sections], key = value, and .include /path/to/file directives. Section references work via name = $section_name, and environment-variable substitution via ${ENV::VAR}.

HOME = .

openssl_conf = openssl_init

[openssl_init]
providers = provider_sect
ssl_conf  = ssl_sect

[provider_sect]
default = default_sect

[default_sect]
activate = 1

Top-level sections

openssl_conf names a section that lists modules. The recognised module names:

  • providers — provider configuration (3.0+).
  • engines — Engine configuration (legacy).
  • oid_section — additional OIDs to register.
  • ssl_confSSL_CTX defaults applied automatically when a context is created (SSL_CTX_config(ctx, "name")).
  • evp_properties — EVP default property string.
  • random — DRBG selection and source.

Each module's section maps the symbolic name to a section that holds its configuration:

[openssl_init]
providers = provider_sect
ssl_conf  = ssl_sect

[providers]

Each entry maps a provider name to a section configuring it:

[provider_sect]
default = default_sect
fips    = fips_sect
legacy  = legacy_sect

[default_sect]
activate = 1

[fips_sect]
activate = 1

[legacy_sect]
activate = 1

Recognised keys in a provider section:

  • activate = 1 — load it.
  • module = /path/to/foo.so — explicit module path. Defaults to looking up <name>.so in the configured provider search path.
  • identity = name — override the provider's reported name (rarely needed).
  • <key> = <value> — passed as an OSSL_PARAM to the provider's init.

For FIPS, the line .include /etc/ssl/fipsmodule.cnf brings in the module-specific MAC, version, and KAT status produced by openssl fipsinstall.

[ssl_conf] and friends

ssl_conf = ssl_sect declares that named SSL configurations live under [ssl_sect]. Each entry there is a name → section reference:

[ssl_sect]
server = server_sect
client = client_sect

[server_sect]
Protocol      = -ALL,TLSv1.2,TLSv1.3
Ciphersuites  = TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384
Groups        = X25519MLKEM768:X25519:P-256
Options       = ServerPreference,EnableMiddleBoxCompat
ChainCAFile   = chain.pem
PrivateKey    = key.pem
Certificate   = cert.pem

The application calls SSL_CTX_config(ctx, "server") to apply the keys to ctx. The keys are handled by ssl/ssl_conf.c; the canonical list is in doc/man3/SSL_CONF_cmd.pod.

[evp_properties]

[openssl_init]
evp_properties = props_sect

[props_sect]
default_properties = ?fips=yes

Sets the libctx default property at startup. Most callers that want this set it programmatically with EVP_set_default_properties(libctx, "?fips=yes") instead.

[random]

Selects DRBG type and seed source:

[openssl_init]
random = random_sect

[random_sect]
random      = CTR-DRBG
cipher      = AES-256-CTR
digest      = SHA2-512
seed        = SEED-SRC
seed_properties =

The same configuration drives RAND_set_DRBG_type etc.

[req] and friends (CLI subcommand defaults)

apps/openssl req, ca, x509, verify, s_client, s_server, cms, pkcs12, cmp, etc. all read named sections from openssl.cnf. The default config that ships in apps/openssl.cnf.in is dense with examples for each.

The most commonly customised:

Section Used by
[ca] openssl ca
[CA_default] openssl ca (the default CA profile)
[req] openssl req
[ usr_cert ] openssl ca cert extensions for end-entity certs
[ v3_ca ] extensions for self-signed CAs
[ tsa ] openssl ts

Precedence

When both code and config set the same parameter, the last setter wins. Calling SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION) after SSL_CTX_config(ctx, "server") overrides the config's MinProtocol.

Environment variable overrides

Variable Effect
OPENSSL_CONF Path to the config file. Default: built-in (<install>/openssl.cnf).
OPENSSL_CONF_INCLUDE Path searched for .include directives.
OPENSSL_MODULES Default provider search path.
OPENSSL_ENGINES Default Engine search path.
SSL_CERT_DIR Default trust-store directory.
SSL_CERT_FILE Default trust-store bundle file.
OPENSSL_TRACE Trace categories (see how-to-contribute/debugging).
OPENSSL_TRACE_FILE Trace destination.
RANDFILE DRBG state file.
OPENSSL_FIPS_VENDOR Override the FIPS provider's vendor identification.
SSL_QLOG_DIR qlog output dir for QUIC.

The full list is in doc/man7/openssl-env.pod.

Useful documentation

  • doc/man5/config.pod — the format.
  • doc/man5/x509v3_config.pod — the v3 extension config syntax used by [v3_ca] etc.
  • doc/man5/fips_config.pod[fips_sect] and fipsmodule.cnf.
  • doc/man3/SSL_CONF_cmd.pod — the [ssl_sect] keys.
  • doc/man7/openssl-env.pod — env-var overrides.

Built by Factory AutoWiki from public repository content. It is a generated preview for codebase exploration, not source-maintained documentation.

Configuration (`openssl.cnf`) – OpenSSL wiki | Factory