On Wed, Mar 02, 2016 at 02:57:13PM -0500, Wall, Stephen wrote:
> Is there a set of recommended build options for openssl? For instance,
> "no-ssl2 no-comp -DOPENSSL_NO_HEARTBEATS no-md4 ..."
By and large what should be off by default eventually or already
is, but there can be some delay for backwards compatibility.
The below non-experimental features are disabled by default in
OpenSSL 1.0.2s:
my %disabled = ( # "what" => "comment" [or special keyword "experimental "]
"ec_nistp_64_gcc_128" => "default",
"gmp" => "default",
"md2" => "default",
"rc5" => "default",
"rfc3779" => "default",
"sctp" => "default",
"shared" => "default",
"ssl-trace" => "default",
"ssl2" => "default",
"unit-test" => "default",
"weak-ssl-ciphers" => "default",
"zlib" => "default",
"zlib-dynamic" => "default"
);
With these you're covered for no-ssl2 no-comp and no weak ciphers.
In most cases you'll want shared libraries, but this requires
"Configure shared ...". Some might choose to disable SSLv3 as well
with "no-ssl3". It may also be reasonable to disable "idea", "seed"
and "rc2".
--
Viktor.
