[openssl-users] Openssl connects with Des-Cbc-sha in tls1. 2

Jakob Bohm jb-openssl at wisemo.com
Thu Dec 1 12:26:09 UTC 2016

On 01/12/2016 08:49, vishnu raju wrote:
> Hi all,
> I am getting connection success in a tls1.2 connection with 
> Des-Cbc-sha cipher.  But upto my knowledge this cipher is depreciated 
> on tls1.2.
> Thanks for your help.
It is not disabled, just scheduled for future disabling as far
as the TLS 1.2 standard/RFC is concerned.

In OpenSSL its use is controlled by the "cipher list" setting,
which is a runtime setting made by the client and server software.

For single-DES (not triple DES), this would indicate that both ends
are configured insecurely since single DES has been considered weak
almost since the invention of SSL/TLS.

For Triple-DES (DES3), some recent OpenSSL versions reclassified it
to a lower grade because of the well-known (since the beginning)
danger of encrypting too much data with a single key, a danger that
was recently highlighted under the name SWEET32.  Triple DES can
be enabled or disabled via an appropriate "cipher list" setting
regardless of OpenSSL version.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list