TLSv1 on CentOS-8
Viktor Dukhovni
openssl-users at dukhovni.org
Fri Apr 17 17:17:25 UTC 2020
On Fri, Apr 17, 2020 at 06:06:56PM +0100, Junaid Mukhtar wrote:
> Hi, we have a requirement to enable tlsv1 for an edge case. When we enable
> that via Tomas recommendation it enables rc4 cipher.
Yes, but in OpenSSL 1.1.1, it is not clear why enabling the protocol has
any impact on the cipher selection. These are separate concernts in the
underlying OpenSSL library. The "DEFAULT" cipherlist does not include
RC4.
If the CentOS policies for enabling TLS 1.0 also have the side effect of
enabling weak ciphers, set the cipherlist back to "DEFAULT", which for
TLS 1.0 includes only:
$ openssl ciphers -s -tls1 -v DEFAULT
ECDHE-ECDSA-AES256-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(256) Mac=SHA1
ECDHE-RSA-AES256-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(256) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
ECDHE-ECDSA-AES128-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=AES(128) Mac=SHA1
ECDHE-RSA-AES128-SHA TLSv1 Kx=ECDH Au=RSA Enc=AES(128) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
--
Viktor.
More information about the openssl-users
mailing list