<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small">Hi Tomas</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small">Is it possible to enable legacy protocols/ciphers but disable only one. In particular we want RC4-SHA to be disable<br clear="all"></div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><font size="2"><span style="font-family:verdana,sans-serif"><br>--------<br>Regards,</span><br style="font-family:verdana,sans-serif"><span style="font-family:verdana,sans-serif">Junaid</span></font><br></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Apr 15, 2020 at 5:13 PM Junaid Mukhtar <<a href="mailto:junaid.mukhtar@gmail.com">junaid.mukhtar@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small">Thanks a lot; It really helped<br clear="all"></div><div><div dir="ltr"><font size="2"><span style="font-family:verdana,sans-serif"><br>--------<br>Regards,</span><br style="font-family:verdana,sans-serif"><span style="font-family:verdana,sans-serif">Junaid</span></font><br></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Apr 15, 2020 at 5:04 PM Tomas Mraz <<a href="mailto:tmraz@redhat.com" target="_blank">tmraz@redhat.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On Wed, 2020-04-15 at 16:57 +0100, Junaid Mukhtar wrote:<br>
> Hi Team<br>
> <br>
> I am trying to enable TLSv1 on CentOS-8. We don't have the ability to<br>
> upgrade the server unfortunately so we need to enable TLSv1 with<br>
> weak-ciphers on OpenSSL. <br>
> <br>
> I have tried to build the OpenSSL version manually using switches<br>
> "./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl <br>
> shared enable-weak-ssl-ciphers enable-deprecated enable-rc4 enable-<br>
> tls1 zlib" which ran successfully <br>
> <br>
> [root@2cb6477375aa openssl-OpenSSL_1_1_1c]# openssl version<br>
> OpenSSL 1.1.1c 28 May 2019<br>
> <br>
> <br>
> But i am still not able to run the "openssl s_client -connect "<br>
> command without specifying -tls1 in it. Build accepts the weak-<br>
> ciphers but not the tls1 version.<br>
> <br>
> Can someone please help me with this?<br>
<br>
You should not need to recompile openssl or anything. <br>
<br>
Just run:<br>
<br>
update-crypto-policies --set LEGACY<br>
<br>
and restart the service that is supposed to be providing the TLS1<br>
server or reboot the machine.<br>
<br>
The LEGACY crypto policy purpose is exactly for re-enabling some of the<br>
not-up-to-date protocols and crypto algorithms.<br>
<br>
-- <br>
Tomáš Mráz<br>
No matter how far down the wrong road you've gone, turn back.<br>
Turkish proverb<br>
[You'll know whether the road is wrong if you carefully listen to your<br>
conscience.]<br>
<br>
<br>
</blockquote></div>
</blockquote></div>