[openssl-users] no-weak-ssl-ciphers and OPENSSL_NO_WEAK_SSL_CIPHERS?

Jeffrey Walton noloader at gmail.com
Mon Mar 7 00:04:09 UTC 2016


I noticed a new option no-weak-ssl-ciphers. It defines
OPENSSL_NO_WEAK_SSL_CIPHERS.

>From a grep it looks like OPENSSL_NO_WEAK_SSL_CIPHERS is used by
s3_lib.c. Inspecting the hits, it appears the define disables cipher
suites with RC4.

I also noticed there is some use of MD5 which is not guarded by
OPENSSL_NO_WEAK_SSL_CIPHERS. I mention it because of the browser's
Obsolete Cryptography warning
(http://security.stackexchange.com/q/83831 and
https://codereview.chromium.org/703143003).

So my question is, does OPENSSL_NO_WEAK_SSL_CIPHERS do anything more
than remove RC4?


More information about the openssl-users mailing list