<div dir="ltr"><div>Thank you Ben, but I am afraid it does not work unless I'm doing something wrong.<br></div>Here is a code snippet:<br><font face="monospace,monospace">int CSSL::createCTX(SSL_CTX **ppctx, int &extError)<br>{<br> X509_NAME *xn;<br> SSL *ssl;<br> X509 *pX509;<br> POSITION pos;<br> TCHAR name[256], *cert_file = NULL, *CAfile, certInfo[512] = _T("");<br> int len, err;<br> char *CApath = NULL, caFile[256];<br> extError = 0;<br><br> if(!(*ppctx = SSL_CTX_new(SSLv23_client_method()))) {<br> ::ShowErrorMsg((DWORD)m_pConfig, 0, 0, SSL_ERROR_CAPTION, _T("Error creating ctx object - SSL_CTX_new() failed"));<br> extError = _SSL_CTX_NEW_FAILED;<br> return _SSL_ERROR;<br> }<br><br> SSL_CTX_set_options(*ppctx, 0);<br> SSL_CTX_set_security_level(*ppctx, 0); // for compatibility with weak ciphers<br>.<br>.<br></font><br></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Gerrit van Niekerk<br>GP van Niekerk Ondernemings BK<br>Roosstraat 211, Meyerspark, 0184, South Africa<br>Tel: +27(12)8036501 Fax SA: 086 537 4131<br>Voip: 0105912084<br>Cell: +27(73)6891370<br>Email: <a href="/user/SendEmail.jtp?type=node&node=71063&i=0" target="_top" rel="nofollow" link="external">[hidden email]</a>, <a href="/user/SendEmail.jtp?type=node&node=71063&i=1" target="_top" rel="nofollow" link="external">[hidden email]</a><br>Web: <a href="http://www.gpvno.co.za" target="_blank" rel="nofollow" link="external">http://www.gpvno.co.za</a><br><br></div></div></div>
<br><div class="gmail_quote">On Wed, Jun 7, 2017 at 6:16 PM, OpenSSL - User mailing list [via OpenSSL] <span dir="ltr"><<a href="/user/SendEmail.jtp?type=node&node=71063&i=2" target="_top" rel="nofollow" link="external">[hidden email]</a>></span> wrote:<br><blockquote style='border-left:2px solid #CCCCCC;padding:0 1em' class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">
On 06/07/2017 11:13 AM, gerritvn wrote:<br>
</span><span class=""><blockquote style='border-left:2px solid #CCCCCC;padding:0 1em' style="border-left:2px solid #cccccc;padding:0 1em" type="cite">
<pre>We are using OpenSSL in a terminal emulation product.
We recently upgraded from OpenSSL v 1.0.2g to OpenSSL v 1.1.0e.
Some servers we connect to do not support any of the strong ciphers which
are compiled by default in OpenSSL v 1.1.0e and returns an alert with
"handshake error".
We recompiled with the option "enable-weak-ssl-ciphers", but that does not
solve the problem.
With OpenSSL v 1.0.2g one specific server selected the Cipher Suite:
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) which is shown as DES-CBC3-SHA by
OpenSSL
Listing ciphers with our OpenSSL 1.1.0e "enable-weak-ssl-ciphers" build with
the command:
openssl ciphers -v "ALL:@SECLEVEL=0"
shows this entry:
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
This cipher is, however, not offered in the Client Hello when our client
opens the connection.
What do we need to add to our program to get our client to offer the weak
ciphers as well as the strong ones?
</pre>
</blockquote>
<br>
<br>
</span><a class="m_1777703550231898860moz-txt-link-freetext" href="https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_security_level.html" rel="nofollow" link="external" target="_blank">https://www.openssl.org/docs/<wbr>man1.1.0/ssl/SSL_CTX_set_<wbr>security_level.html</a><br>
<br>
-Ben<span class=""><br>
<br>--
<br>openssl-users mailing list
<br>To unsubscribe: <a href="https://mta.openssl.org/mailman/listinfo/openssl-users" rel="nofollow" link="external" target="_blank">https://mta.openssl.org/<wbr>mailman/listinfo/openssl-users</a><br>
<br>
<br>
</span><hr noshade size="1" color="#cccccc">
<div style="color:#444;font:12px tahoma,geneva,helvetica,arial,sans-serif">
<div style="font-weight:bold">If you reply to this email, your message will be added to the discussion below:</div>
<a href="http://openssl.6102.n7.nabble.com/Using-weak-ciphers-in-OpenSSL-v-1-1-0e-client-tp71061p71062.html" target="_blank" rel="nofollow" link="external">http://openssl.6102.n7.nabble.<wbr>com/Using-weak-ciphers-in-<wbr>OpenSSL-v-1-1-0e-client-<wbr>tp71061p71062.html</a>
</div>
<div style="color:#666;font:11px tahoma,geneva,helvetica,arial,sans-serif;margin-top:.4em;line-height:1.5em">
To unsubscribe from Using weak ciphers in OpenSSL v 1.1.0e client, <a href="" target="_blank" rel="nofollow" link="external">click here</a>.<br>
<a href="http://openssl.6102.n7.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml" rel="nofollow" style="font:9px serif" target="_blank" link="external">NAML</a>
</div></blockquote></div><br></div>
<br/><hr align="left" width="300" />
View this message in context: <a href="http://openssl.6102.n7.nabble.com/Using-weak-ciphers-in-OpenSSL-v-1-1-0e-client-tp71061p71063.html">Re: Using weak ciphers in OpenSSL v 1.1.0e client</a><br/>
Sent from the <a href="http://openssl.6102.n7.nabble.com/OpenSSL-User-f3.html">OpenSSL - User mailing list archive</a> at Nabble.com.<br/>