[openssl-users] Re-enable 3DES on NGINX + OpenSSL 1.1.1

Wed Sep 19 20:48:18 UTC 2018

3DES is considered to only be 112 bits in strength. The default security level is 1 (which allows most things), perhaps nginx resets the security level to 3 or greater (which means a minimum of 128-bit ciphers).

--
-Todd Short
// tshort at akamai.com<mailto:tshort at akamai.com>
// "One if by land, two if by sea, three if by the Internet."

On Sep 17, 2018, at 4:20 PM, Neil Craig <Neil.Craig at bbc.co.uk<mailto:Neil.Craig at bbc.co.uk>> wrote:

Thanks very much Matt. I have indeed built with NGINX configure opt
--with-openssl-opt=enable-weak-ssl-cipher and whilst I don¹t see an error
when running NGINX with a/some 3DES cipher(s) in the ciphers list, I don¹t
see any 3DES ciphers in the output of e.g. Testssl and I can¹t make a
connection to the server using openssl CLI with -cipher <3DES cipher>.

I wonder if the problem might be either NGINX not respecting/processing
the configure opt (above) or possibly removing 3DES ciphers for some
reason with openssl 1.1.1.

I¹ll keep digging, thanks again for your help and for confirming that¹s
the right thing to do.

Cheers

Neil Craig
Lead Technical Architect | Online Technology Group

Broadcast Centre, London W12 7TQ | BC4 A3
Twitter: https://twitter.com/tdp_org

On 17/09/2018, 17:41, "openssl-users on behalf of Matt Caswell"
<openssl-users-bounces at openssl.org<mailto:openssl-users-bounces at openssl.org> on behalf of matt at openssl.org<mailto:matt at openssl.org>> wrote:

On 17/09/18 16:29, Neil Craig wrote:
Hi all

I'm trying to re-add 3DES support (a temporary move, due to business
requirements) to an NGINX (1.15.3) + OpenSSL (1.1.1) build via the NGINX
build flag --with-openssl-opt=enable-weak-ssl-ciphers which i learnt
from https://www.openssl.org/blog/blog/2016/08/24/sweet32/.

Whilst I do see some older ciphersuites being offered by NGINX after
doing this, e.g. Camelia, Seed and so on, i don't see 3DES. I was
expecting to be able to specifically list 3DES e.g. via DES-CBC3-SHA but
that didn¹t work. I have also tried adding @seclevel=0 to the
ciphersuite string in NGINX but again, that didn¹t work, I don¹t see any
3DES ciphersuites available in NGINX.

I'm wondering whether something changed between the above article and
the final version of OpenSSL 1.1.1? (I.e. Whether 3DES support was
completely removed in OpenSSL 1.1.1).

Any pointers would be very much appreciated, I can¹t find anything very
useful on the web.

3DES is still available in 1.1.1 but is no longer in the DEFAULT
ciphersuite list, so unless you explicitly configure them to be
available you won't see them (even if you configure with
enable-weak-ssl-ciphers).

E.g. (assuming you compiled with enable-weak-ssl-ciphers):

$ openssl ciphers -v | grep 3DES

Will give you 0 ciphers, but

$ openssl ciphers -v 3DES | grep 3DES

Should list 14 different 3DES ciphersuites that are available.

I don't know about nginx config though so maybe someone else can help
there.

Matt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-----------------------------
http://www.bbc.co.uk<http://www.bbc.co.uk/>
This e-mail (and any attachments) is confidential and
may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in
error, please delete it from your system.
Do not use, copy or disclose the
information in any way nor act in reliance on it and notify the sender
immediately.
Please note that the BBC monitors e-mails
sent or received.
Further communication will signify your consent to
this.
-----------------------------
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20180919/4846f70f/attachment-0001.html>