[openssl-users] When ciphers are deprecated?
Matt Caswell
matt at openssl.org
Wed Nov 30 09:58:03 UTC 2016
On 30/11/16 09:35, Mattia Rossi wrote:
> Hi all,
>
> After updating from 1.0.2h to 1.0.2j some of my PHP script is broken,
> because it can't connect to the server, after some research the server
> supports very old TLSv1.0 ciphers.
>
> So i check what ciphers PHP query for and with different versions of
> openssl i get different result, so in libssl 1.0.2h i have these
> chipers:
> - EDH-RSA-DES-CBC3-SHA
> - DES-CBC3-SHA
>
> In the last version i haven't.
>
> Where is the information when ciphers are dropped? and why?
These ciphers have not been dropped in 1.0.2, but reclassified from the
"HIGH" cipherstring keyword to the "MEDIUM" cipherstring keyword. Major
changes such as these are normally described in the CHANGES file:
https://github.com/openssl/openssl/blob/OpenSSL_1_0_2-stable/CHANGES
In this case, the following entry is relevant:
*) In order to mitigate the SWEET32 attack, the DES ciphers were moved
from
HIGH to MEDIUM.
This issue was reported to OpenSSL Karthikeyan Bhargavan and Gaetan
Leurent (INRIA)
(CVE-2016-2183)
[Rich Salz]
You can read more about SWEET32 here:
https://www.openssl.org/blog/blog/2016/08/24/sweet32/
Matt
More information about the openssl-users
mailing list