TLSv1 on CentOS-8

Junaid Mukhtar junaid.mukhtar at gmail.com
Fri Apr 17 14:39:31 UTC 2020 

Hi Tomas

Is it possible to enable legacy protocols/ciphers but disable only one. In
particular we want RC4-SHA to be disable

--------
Regards,
Junaid


On Wed, Apr 15, 2020 at 5:13 PM Junaid Mukhtar <junaid.mukhtar at gmail.com>
wrote:

> Thanks a lot; It really helped
>
> --------
> Regards,
> Junaid
>
>
> On Wed, Apr 15, 2020 at 5:04 PM Tomas Mraz <tmraz at redhat.com> wrote:
>
>> On Wed, 2020-04-15 at 16:57 +0100, Junaid Mukhtar wrote:
>> > Hi Team
>> >
>> > I am trying to enable TLSv1 on CentOS-8. We don't have the ability to
>> > upgrade the server unfortunately so we need to enable TLSv1 with
>> > weak-ciphers on OpenSSL.
>> >
>> > I have tried to build the OpenSSL version manually using switches
>> > "./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl
>> > shared enable-weak-ssl-ciphers enable-deprecated enable-rc4 enable-
>> > tls1 zlib" which ran successfully
>> >
>> > [root at 2cb6477375aa openssl-OpenSSL_1_1_1c]# openssl version
>> > OpenSSL 1.1.1c  28 May 2019
>> >
>> >
>> > But i am still not able to run the "openssl s_client -connect "
>> > command without specifying -tls1 in it. Build accepts the weak-
>> > ciphers but not the tls1 version.
>> >
>> > Can someone please help me with this?
>>
>> You should not need to recompile openssl or anything.
>>
>> Just run:
>>
>> update-crypto-policies --set LEGACY
>>
>> and restart the service that is supposed to be providing the TLS1
>> server or reboot the machine.
>>
>> The LEGACY crypto policy purpose is exactly for re-enabling some of the
>> not-up-to-date protocols and crypto algorithms.
>>
>> --
>> Tomáš Mráz
>> No matter how far down the wrong road you've gone, turn back.
>>                                               Turkish proverb
>> [You'll know whether the road is wrong if you carefully listen to your
>> conscience.]
>>
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200417/c62effe4/attachment.html>

More information about the openssl-users mailing list