Enabled weak cipher suites
matt at openssl.org
Wed Jun 26 11:29:15 UTC 2019
On 26/06/2019 12:18, John Jiang wrote:
> On Wed, Jun 26, 2019 at 2:59 PM Dr Paul Dale <paul.dale at oracle.com
> <mailto:paul.dale at oracle.com>> wrote:
> Yes there is but it will require a reconfigure and a recompile.
> Could you please show me more details about it?
> Which option(s) should be used for configuring and compiling?
To compile in support for weak ciphersuites:
$ ./config enable-weak-ssl-ciphers
And then make/make test/make install as usual.
Once support is compiled in the weak ciphersuites are still not enabled in the
"DEFAULT" set of ciphersuites - you have to explicitly enable them at run time, e.g.
$ openssl s_server -no_tls1_3 -cipher "RC4-MD5:@SECLEVEL=0"
$ openssl s_client -no_tls1_3 -cipher "RC4-MD5:@SECLEVEL=0"
> The big question is: "why?”
> RC4 and MD5 are both considered broken.
> Don't worry, just for some testing.
> Dr Paul Dale | Cryptographer | Network Security & Encryption
> Phone +61 7 3031 7217
> Oracle Australia
>> On 26 Jun 2019, at 11:41 am, John Jiang <john.sha.jiang at gmail.com
>> <mailto:john.sha.jiang at gmail.com>> wrote:
>> I'm using s_server and s_client from OpenSSL 1.1.1.
>> It looks the weak cipher suites, like SSL_RSA_WITH_RC4_128_MD5, are disabled.
>> Is there any way to re-enable these cipher suites?
More information about the openssl-users