[openssl-users] Re-enable 3DES on NGINX + OpenSSL 1.1.1

Neil Craig Neil.Craig at bbc.co.uk
Mon Sep 17 15:29:29 UTC 2018

Hi all

I'm trying to re-add 3DES support (a temporary move, due to business requirements) to an NGINX (1.15.3) + OpenSSL (1.1.1) build via the NGINX build flag --with-openssl-opt=enable-weak-ssl-ciphers which i learnt from https://www.openssl.org/blog/blog/2016/08/24/sweet32/.

Whilst I do see some older ciphersuites being offered by NGINX after doing this, e.g. Camelia, Seed and so on, i don't see 3DES. I was expecting to be able to specifically list 3DES e.g. via DES-CBC3-SHA but that didn’t work. I have also tried adding @seclevel=0 to the ciphersuite string in NGINX but again, that didn’t work, I don’t see any 3DES ciphersuites available in NGINX.

I'm wondering whether something changed between the above article and the final version of OpenSSL 1.1.1? (I.e. Whether 3DES support was completely removed in OpenSSL 1.1.1).

Any pointers would be very much appreciated, I can’t find anything very useful on the web.


Neil Craig
Lead Technical Architect | Online Technology Group
Broadcast Centre, London W12 7TQ | BC4 A3
Twitter: https://twitter.com/tdp_org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180917/853c2c78/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 60158DAA-E151-40BD-A3FB-C615340C7061[19].png
Type: image/png
Size: 1914 bytes
Desc: 60158DAA-E151-40BD-A3FB-C615340C7061[19].png
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180917/853c2c78/attachment.png>

More information about the openssl-users mailing list