Enabled weak cipher suites

Wed Jun 26 11:29:15 UTC 2019

On 26/06/2019 12:18, John Jiang wrote:
> On Wed, Jun 26, 2019 at 2:59 PM Dr Paul Dale <paul.dale at oracle.com
> <mailto:paul.dale at oracle.com>> wrote:
> 
>     Yes there is but it will require a reconfigure and a recompile.
> 
> Could you please show me more details about it?
> Which option(s) should be used for configuring and compiling?

To compile in support for weak ciphersuites:

$ ./config enable-weak-ssl-ciphers

And then make/make test/make install as usual.

Once support is compiled in the weak ciphersuites are still not enabled in the
"DEFAULT" set of ciphersuites - you have to explicitly enable them at run time, e.g.

$ openssl s_server -no_tls1_3 -cipher "RC4-MD5:@SECLEVEL=0"

$ openssl s_client -no_tls1_3 -cipher "RC4-MD5:@SECLEVEL=0"

Matt

>  
> 
> 
>     The big question is: "why?”
>     RC4 and MD5 are both considered broken.
> 
> Don't worry, just for some testing.
> 
> Thanks!
> 
> 
> 
>     Pauli
>     -- 
>     Dr Paul Dale | Cryptographer | Network Security & Encryption 
>     Phone +61 7 3031 7217
>     Oracle Australia
> 
> 
> 
>>     On 26 Jun 2019, at 11:41 am, John Jiang <john.sha.jiang at gmail.com
>>     <mailto:john.sha.jiang at gmail.com>> wrote:
>>
>>     Hi,
>>     I'm using s_server and s_client from OpenSSL 1.1.1.
>>     It looks the weak cipher suites, like SSL_RSA_WITH_RC4_128_MD5, are disabled.
>>     Is there any way to re-enable these cipher suites?
>>
>>     Thanks!
> 