[openssl-users] Openssl connects with Des-Cbc-sha in tls1. 2
Jakob Bohm
jb-openssl at wisemo.com
Thu Dec 1 12:26:09 UTC 2016
On 01/12/2016 08:49, vishnu raju wrote:
> Hi all,
> I am getting connection success in a tls1.2 connection with
> Des-Cbc-sha cipher. But upto my knowledge this cipher is depreciated
> on tls1.2.
> Thanks for your help.
>
It is not disabled, just scheduled for future disabling as far
as the TLS 1.2 standard/RFC is concerned.
In OpenSSL its use is controlled by the "cipher list" setting,
which is a runtime setting made by the client and server software.
For single-DES (not triple DES), this would indicate that both ends
are configured insecurely since single DES has been considered weak
almost since the invention of SSL/TLS.
For Triple-DES (DES3), some recent OpenSSL versions reclassified it
to a lower grade because of the well-known (since the beginning)
danger of encrypting too much data with a single key, a danger that
was recently highlighted under the name SWEET32. Triple DES can
be enabled or disabled via an appropriate "cipher list" setting
regardless of OpenSSL version.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list