<div dir="auto"><div>Note: This is better asked on the CentOS support forums, since it asks about changes that CentOS made to OpenSSL.</div><div dir="auto"><br></div><div dir="auto">This is an unsupported configuration, and will be overwritten if you audit or reinstall the crypto-policies package. Also, I haven't looked to see where /etc/crypto-policies/back-ends/opensslcnf.config versus /etc/crypto-policies/back-ends/openssl.config are used.<div dir="auto"><br></div><div dir="auto">Since you're modifying the LEGACY policy (and the files in /etc/crypto-policies/back-ends/ are all symlinks, and I don't want to give information that would modify any security level without regard for knowing what security level is currenty in place): You want to modify the /usr/share/crypto-policies/LEGACY/openssl.txt file to append ":!RC4" to it. You should also modify /usr/share/crypto-policies/LEGACY/opensslcnf.txt to append ":!RC4" to the CipherString line, and ":!RC4-SHA" to the Ciphersuites line.</div><br>There are additional files in there that refer to other services and crypto libraries, that you may wish to change as well. The OpenSSL support lists don't have any information about them.</div><div dir="auto"><br></div><div dir="auto">-Kyle H</div><div dir="auto"><br><div class="gmail_quote" dir="auto"><div dir="ltr" class="gmail_attr">On Fri, Apr 17, 2020, 09:40 Junaid Mukhtar <<a href="mailto:junaid.mukhtar@gmail.com">junaid.mukhtar@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small">Hi Tomas</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small">Is it possible to enable legacy protocols/ciphers but disable only one. In particular we want RC4-SHA to be disable<br clear="all"></div><div><div dir="ltr" data-smartmail="gmail_signature"><font size="2"><span style="font-family:verdana,sans-serif"><br>--------<br>Regards,</span><br style="font-family:verdana,sans-serif"><span style="font-family:verdana,sans-serif">Junaid</span></font><br></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Apr 15, 2020 at 5:13 PM Junaid Mukhtar <<a href="mailto:junaid.mukhtar@gmail.com" target="_blank" rel="noreferrer">junaid.mukhtar@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small">Thanks a lot; It really helped<br clear="all"></div><div><div dir="ltr"><font size="2"><span style="font-family:verdana,sans-serif"><br>--------<br>Regards,</span><br style="font-family:verdana,sans-serif"><span style="font-family:verdana,sans-serif">Junaid</span></font><br></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Apr 15, 2020 at 5:04 PM Tomas Mraz <<a href="mailto:tmraz@redhat.com" target="_blank" rel="noreferrer">tmraz@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Wed, 2020-04-15 at 16:57 +0100, Junaid Mukhtar wrote:<br>
> Hi Team<br>
> <br>
> I am trying to enable TLSv1 on CentOS-8. We don't have the ability to<br>
> upgrade the server unfortunately so we need to enable TLSv1 with<br>
> weak-ciphers on OpenSSL. <br>
> <br>
> I have tried to build the OpenSSL version manually using switches<br>
> "./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl <br>
> shared enable-weak-ssl-ciphers enable-deprecated enable-rc4 enable-<br>
> tls1 zlib" which ran successfully <br>
> <br>
> [root@2cb6477375aa openssl-OpenSSL_1_1_1c]# openssl version<br>
> OpenSSL 1.1.1c 28 May 2019<br>
> <br>
> <br>
> But i am still not able to run the "openssl s_client -connect "<br>
> command without specifying -tls1 in it. Build accepts the weak-<br>
> ciphers but not the tls1 version.<br>
> <br>
> Can someone please help me with this?<br>
<br>
You should not need to recompile openssl or anything. <br>
<br>
Just run:<br>
<br>
update-crypto-policies --set LEGACY<br>
<br>
and restart the service that is supposed to be providing the TLS1<br>
server or reboot the machine.<br>
<br>
The LEGACY crypto policy purpose is exactly for re-enabling some of the<br>
not-up-to-date protocols and crypto algorithms.<br>
<br>
-- <br>
Tomáš Mráz<br>
No matter how far down the wrong road you've gone, turn back.<br>
Turkish proverb<br>
[You'll know whether the road is wrong if you carefully listen to your<br>
conscience.]<br>
<br>
<br>
</blockquote></div>
</blockquote></div>
</blockquote></div></div></div>