checking for enable-weak-ssl-ciphers at runtime?
Michael Wojcik
Michael.Wojcik at microfocus.com
Sun May 24 20:49:46 UTC 2020
> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of
> Daniel Lenski
> Sent: Saturday, May 23, 2020 17:24
>
> > Other than looping through all of the ciphers with SSL_get_ciphers()
> > right after this… is there a better way to check for 3DES/RC4 support
> > right at startup, so we can give immediate feedback that connecting to
> > such a server cannot succeed?
>
> It was suggested that I should try EVP_get_ciphername().
>
> I tested both EVP_get_cipherbyname("DES-EDE3-CBC") == NULL, and
> EVP_des_ede3_cbc() == NULL, but unfortunately both of those APIs
> appear insensitive to whether or not 3DES is actually supported by the
> library.
>
> Is there another approach to check for 3DES support before actually
> creating an SSL_CTX?
Actually trying to encrypt something using 3DES and the EVP API? Maybe it would even fail on EVP_CipherInit.
It's been a while since I used that, but something like:
static const unsigned char dummy[192] = {1};
unsigned char dummy_out[8];
int outlen = 0;
EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new();
int tdes_enabled = EVP_CipherInit(ctx, EVP_des_ede3_cbc(), dummy, dummy) &&
EVP_EncryptUpdate(ctx, dummy_out, &outlen, dummy, 1) &&
EVP_EncryptFinal(ctx, dummy_out, &outlen);
EVP_CIPHER_CTX_free(ctx);
Untested.
--
Michael Wojcik
Distinguished Engineer, Micro Focus
More information about the openssl-users
mailing list