# openssl without TLSv1.0



## noodlefling (Jul 13, 2022)

I just switched from ports to packages and a side effect seems to be that TLSv1.0 has been re-enabled. Previously what I'd done is a `make config` for openssl and turned off TLSv1.0, and then recompiled everything that required openssl.

If I do that now, will I have to use ports (instead of packages) for everything that depends on openssl?

Alternatively, is there option in a config file I can add to just disable TLSv1.0?  That would be the simplest solution.


----------



## noodlefling (Jul 13, 2022)

Hmm, it looks like I can shut off the protocol in the related packages with their appropriate config files.  Slightly less definitive, but it seems like it should do the job I'm looking to do (ie, quiet some auto-generated security warnings from the IT department).

Still interested in the general principle, however.  Was there something magical happening when the related ports were compiled with openssl in that state?  Does it break anything if I disable something at compilation time of the openssl port but leave the dependent packages alone?


----------



## zirias@ (Jul 13, 2022)

noodlefling said:


> Still interested in the general principle, however. Was there something magical happening when the related ports were compiled with openssl in that state? Does it break anything if I disable something at compilation time of the openssl port but leave the dependent packages alone?


Nothing "magical" for sure. Those ports use libraries from openssl (and include headers for using them). If this option changes anything in the library interface (some simple feature test macro would be enough and I suppose disabling TLSv1.0 might add one to /usr/local/include/openssl/opensslconf.h), it is _possible_ that binaries compiled using this lib will be different. They will if they use the affected parts of the API.

So, I can't tell you for sure that things will break, but I'd recommend not to take that risk.


----------



## mer (Jul 13, 2022)

I haven't looked at this in a while, but I think one should be able to restrict things at runtime.  Say apache you could eliminate tls1.0, etc.  Not sure if there is a "global openssl config" that would let you eliminate protocols outside of any application.


----------



## noodlefling (Jul 22, 2022)

Thanks, guys. As a followup, the modifications I made to the config files of the affected packages seem to have done the job, so I'm not going to play with fire.

As long as the IT guys aren't banging on the door, I'm happy.


----------

