[openssl-users] Re-enable 3DES on NGINX + OpenSSL 1.1.1

Matt Caswell matt at openssl.org
Mon Sep 17 16:41:40 UTC 2018



On 17/09/18 16:29, Neil Craig wrote:
> Hi all
> 
> I'm trying to re-add 3DES support (a temporary move, due to business
> requirements) to an NGINX (1.15.3) + OpenSSL (1.1.1) build via the NGINX
> build flag --with-openssl-opt=enable-weak-ssl-ciphers which i learnt
> from https://www.openssl.org/blog/blog/2016/08/24/sweet32/. 
> 
> Whilst I do see some older ciphersuites being offered by NGINX after
> doing this, e.g. Camelia, Seed and so on, i don't see 3DES. I was
> expecting to be able to specifically list 3DES e.g. via DES-CBC3-SHA but
> that didn’t work. I have also tried adding @seclevel=0 to the
> ciphersuite string in NGINX but again, that didn’t work, I don’t see any
> 3DES ciphersuites available in NGINX.
> 
> I'm wondering whether something changed between the above article and
> the final version of OpenSSL 1.1.1? (I.e. Whether 3DES support was
> completely removed in OpenSSL 1.1.1).
> 
> Any pointers would be very much appreciated, I can’t find anything very
> useful on the web.

3DES is still available in 1.1.1 but is no longer in the DEFAULT
ciphersuite list, so unless you explicitly configure them to be
available you won't see them (even if you configure with
enable-weak-ssl-ciphers).

E.g. (assuming you compiled with enable-weak-ssl-ciphers):


$ openssl ciphers -v | grep 3DES

Will give you 0 ciphers, but

$ openssl ciphers -v 3DES | grep 3DES

Should list 14 different 3DES ciphersuites that are available.

I don't know about nginx config though so maybe someone else can help there.

Matt



More information about the openssl-users mailing list