[openssl-users] enable TLS_RSA_WITH_RC4_128_MD5 in openssl 1.1.0e?

Matt Caswell matt at openssl.org
Fri Jun 2 08:29:27 UTC 2017



On 01/06/17 18:16, Siyuan Xiang wrote:
> Hi Matt,
> 
> I tried the following command, it failed.  following is my command. 
> 
> ./config enable-weak-ssl-ciphers --prefix=/opt
> make
> make DESTDIR=/path/to/dir INSTALL
> 
> $ ./openssl version
> OpenSSL 1.1.0e  16 Feb 2017
> 
> ./openssl s_client -cipher "RC4-MD5:@SECLEVEL=0"
> 
> error setting cipher list
> 140369010624144:error:140E6118:SSL
> routines:SSL_CIPHER_PROCESS_RULESTR:invalid command:ssl_ciph.c:1337:
> 
> 
> ./openssl ciphers "RC4-MD5:@SECLEVEL=0"
> Error in cipher list
> 140458428679936:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no
> cipher match:ssl/ssl_lib.c:2018:

That's very strange. Those exact same commands work fine for me. Are you
sure you are picking up the version of 1.1.0e compiled with
enable-weak-ssl-ciphers and not some other previous compilation of 1.1.0e?

Matt


> 
> However, after I change  SSL_CTX_set_XXX function
> orders, TLS_RSA_WITH_RC4_128_MD5 do appear in client hello cipher list.
> 
>     SSL_CTX_set_security_level(ctx, 0);
>     SSL_CTX_set_cipher_list(ctx, "ALL:RC4-MD5");
> 
> Regards,
> Siyuan
> ---
> 
> On Thu, Jun 1, 2017 at 2:41 AM, Matt Caswell <matt at openssl.org
> <mailto:matt at openssl.org>> wrote:
> 
> 
> 
>     On 31/05/17 21:22, Siyuan Xiang wrote:
>     > Hi all,
>     >
>     > I have a legacy server only accept TLS_RSA_WITH_RC4_128_MD5 cipher.
>     >
>     > I have a client using openssl 1.1.0e. It doesn't include
>     > TLS_RSA_WITH_RC4_128_MD5.
>     > I have recompiled the openssl using  enable-weak-ssl-ciphers, but it
>     > doesn't work
>     > but  TLS_RSA_WITH_RC4_128_SHA  is in client hello message.
>     >
>     > It looks like all MD5 related ciphers are removed.  I tried to
>     > use SSL_CTX_set_security_level to
>     > set level to 0. but it doesn't work.
>     >
>     > Do you have any idea how to enable TLS_RSA_WITH_RC4_128_MD5?
> 
>     How have you configured your ciphersuite list? I can get this to work in
>     1.1.0 using s_server and s_client.
> 
>     Having built with "enable-weak-ssl-ciphers" I start up s_server like
>     this:
> 
>     $ openssl s_server -cipher "RC4-MD5:@SECLEVEL=0"
> 
>     And then run s_client like this:
> 
>     $ openssl s_client -cipher "RC4-MD5:@SECLEVEL=0"
> 
>     The connection is successful and uses the RC4-MD5 ciphersuite (aka
>     TLS_RSA_WITH_RC4_128_MD5).
> 
>     Matt
>     --
>     openssl-users mailing list
>     To unsubscribe:
>     https://mta.openssl.org/mailman/listinfo/openssl-users
>     <https://mta.openssl.org/mailman/listinfo/openssl-users>
> 
> 
> 
> 


More information about the openssl-users mailing list