[openssl-users] Re-enable 3DES on NGINX + OpenSSL 1.1.1
Neil Craig
Neil.Craig at bbc.co.uk
Mon Sep 17 20:20:04 UTC 2018
Thanks very much Matt. I have indeed built with NGINX configure opt
--with-openssl-opt=enable-weak-ssl-cipher and whilst I don¹t see an error
when running NGINX with a/some 3DES cipher(s) in the ciphers list, I don¹t
see any 3DES ciphers in the output of e.g. Testssl and I can¹t make a
connection to the server using openssl CLI with -cipher <3DES cipher>.
I wonder if the problem might be either NGINX not respecting/processing
the configure opt (above) or possibly removing 3DES ciphers for some
reason with openssl 1.1.1.
I¹ll keep digging, thanks again for your help and for confirming that¹s
the right thing to do.
Cheers
Neil Craig
Lead Technical Architect | Online Technology Group
Broadcast Centre, London W12 7TQ | BC4 A3
Twitter: https://twitter.com/tdp_org
On 17/09/2018, 17:41, "openssl-users on behalf of Matt Caswell"
<openssl-users-bounces at openssl.org on behalf of matt at openssl.org> wrote:
>
>
>On 17/09/18 16:29, Neil Craig wrote:
>> Hi all
>>
>> I'm trying to re-add 3DES support (a temporary move, due to business
>> requirements) to an NGINX (1.15.3) + OpenSSL (1.1.1) build via the NGINX
>> build flag --with-openssl-opt=enable-weak-ssl-ciphers which i learnt
>> from https://www.openssl.org/blog/blog/2016/08/24/sweet32/.
>>
>> Whilst I do see some older ciphersuites being offered by NGINX after
>> doing this, e.g. Camelia, Seed and so on, i don't see 3DES. I was
>> expecting to be able to specifically list 3DES e.g. via DES-CBC3-SHA but
>> that didn¹t work. I have also tried adding @seclevel=0 to the
>> ciphersuite string in NGINX but again, that didn¹t work, I don¹t see any
>> 3DES ciphersuites available in NGINX.
>>
>> I'm wondering whether something changed between the above article and
>> the final version of OpenSSL 1.1.1? (I.e. Whether 3DES support was
>> completely removed in OpenSSL 1.1.1).
>>
>> Any pointers would be very much appreciated, I can¹t find anything very
>> useful on the web.
>
>3DES is still available in 1.1.1 but is no longer in the DEFAULT
>ciphersuite list, so unless you explicitly configure them to be
>available you won't see them (even if you configure with
>enable-weak-ssl-ciphers).
>
>E.g. (assuming you compiled with enable-weak-ssl-ciphers):
>
>
>$ openssl ciphers -v | grep 3DES
>
>Will give you 0 ciphers, but
>
>$ openssl ciphers -v 3DES | grep 3DES
>
>Should list 14 different 3DES ciphersuites that are available.
>
>I don't know about nginx config though so maybe someone else can help
>there.
>
>Matt
>
>--
>openssl-users mailing list
>To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-----------------------------
http://www.bbc.co.uk
This e-mail (and any attachments) is confidential and
may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in
error, please delete it from your system.
Do not use, copy or disclose the
information in any way nor act in reliance on it and notify the sender
immediately.
Please note that the BBC monitors e-mails
sent or received.
Further communication will signify your consent to
this.
-----------------------------
More information about the openssl-users
mailing list