[openssl-users] Using weak ciphers in OpenSSL v 1.1.0e client

gerritvn gerritvn at gpvno.co.za
Wed Jun 7 18:54:04 UTC 2017 

Thank you Ben, but I am afraid it does not work unless I'm doing something
wrong.
Here is a code snippet:
int CSSL::createCTX(SSL_CTX **ppctx, int &extError)
{
    X509_NAME *xn;
    SSL *ssl;
    X509 *pX509;
    POSITION pos;
    TCHAR name[256], *cert_file = NULL, *CAfile, certInfo[512] = _T("");
    int len, err;
    char *CApath = NULL, caFile[256];
    extError = 0;

    if(!(*ppctx = SSL_CTX_new(SSLv23_client_method()))) {
        ::ShowErrorMsg((DWORD)m_pConfig, 0, 0, SSL_ERROR_CAPTION, _T("Error
creating ctx object - SSL_CTX_new() failed"));
        extError = _SSL_CTX_NEW_FAILED;
        return _SSL_ERROR;
    }

    SSL_CTX_set_options(*ppctx, 0);
    SSL_CTX_set_security_level(*ppctx, 0);    // for compatibility with
weak ciphers
.
.


Gerrit van Niekerk
GP van Niekerk Ondernemings BK
Roosstraat 211, Meyerspark, 0184, South Africa
Tel: +27(12)8036501 Fax SA: 086 537 4131
Voip: 0105912084
Cell: +27(73)6891370
Email: gerritvn at gpvno.co.za, gerritvn1945 at gmail.com
Web: http://www.gpvno.co.za


On Wed, Jun 7, 2017 at 6:16 PM, OpenSSL - User mailing list [via OpenSSL] <
ml+s6102n71062h14 at n7.nabble.com> wrote:

> On 06/07/2017 11:13 AM, gerritvn wrote:
>
> We are using OpenSSL in a terminal emulation product.
> We recently upgraded from OpenSSL v 1.0.2g to OpenSSL v 1.1.0e.
> Some servers we connect to do not support any of the strong ciphers which
> are compiled by default in OpenSSL v 1.1.0e and returns an alert with
> "handshake error".
> We recompiled with the option "enable-weak-ssl-ciphers", but that does not
> solve the problem.
> With OpenSSL v 1.0.2g one specific server selected the Cipher Suite:
> TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) which is shown as DES-CBC3-SHA by
> OpenSSL
> Listing ciphers with our OpenSSL 1.1.0e "enable-weak-ssl-ciphers" build with
> the command:
> openssl ciphers -v "ALL:@SECLEVEL=0"
> shows this entry:
> DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
> This cipher is, however, not offered in the Client Hello when our client
> opens the connection.
>
> What do we need to add to our program to get our client to offer the weak
> ciphers as well as the strong ones?
>
>
>
>
> https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_security_level.html
>
> -Ben
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
> ------------------------------
> If you reply to this email, your message will be added to the discussion
> below:
> http://openssl.6102.n7.nabble.com/Using-weak-ciphers-in-
> OpenSSL-v-1-1-0e-client-tp71061p71062.html
> To unsubscribe from Using weak ciphers in OpenSSL v 1.1.0e client, click
> here
> <http://openssl.6102.n7.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_code&node=71061&code=Z2Vycml0dm5AZ3B2bm8uY28uemF8NzEwNjF8NzI4MDY4OTQ2>
> .
> NAML
> <http://openssl.6102.n7.nabble.com/template/NamlServlet.jtp?macro=macro_viewer&id=instant_html%21nabble%3Aemail.naml&base=nabble.naml.namespaces.BasicNamespace-nabble.view.web.template.NabbleNamespace-nabble.view.web.template.NodeNamespace&breadcrumbs=notify_subscribers%21nabble%3Aemail.naml-instant_emails%21nabble%3Aemail.naml-send_instant_email%21nabble%3Aemail.naml>
>




--
View this message in context: http://openssl.6102.n7.nabble.com/Using-weak-ciphers-in-OpenSSL-v-1-1-0e-client-tp71061p71063.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170607/355c84e7/attachment-0001.html>

More information about the openssl-users mailing list