[openssl-users] Using weak ciphers in OpenSSL v 1.1.0e client

Benjamin Kaduk bkaduk at akamai.com
Wed Jun 7 16:15:57 UTC 2017


On 06/07/2017 11:13 AM, gerritvn wrote:
> We are using OpenSSL in a terminal emulation product.
> We recently upgraded from OpenSSL v 1.0.2g to OpenSSL v 1.1.0e.
> Some servers we connect to do not support any of the strong ciphers which
> are compiled by default in OpenSSL v 1.1.0e and returns an alert with
> "handshake error". 
> We recompiled with the option "enable-weak-ssl-ciphers", but that does not
> solve the problem.
> With OpenSSL v 1.0.2g one specific server selected the Cipher Suite:
> TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) which is shown as DES-CBC3-SHA by
> OpenSSL
> Listing ciphers with our OpenSSL 1.1.0e "enable-weak-ssl-ciphers" build with
> the command:
> openssl ciphers -v "ALL:@SECLEVEL=0" 
> shows this entry:
> DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
> This cipher is, however, not offered in the Client Hello when our client
> opens the connection.
>
> What do we need to add to our program to get our client to offer the weak
> ciphers as well as the strong ones?
>


https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_security_level.html

-Ben
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170607/a2bde05a/attachment.html>


More information about the openssl-users mailing list