TLSv1 on CentOS-8

Kyle Hamilton aerowolf at gmail.com
Fri Apr 17 15:55:55 UTC 2020 

Note: This is better asked on the CentOS support forums, since it asks
about changes that CentOS made to OpenSSL.

This is an unsupported configuration, and will be overwritten if you audit
or reinstall the crypto-policies package.  Also, I haven't looked to see
where /etc/crypto-policies/back-ends/opensslcnf.config versus
/etc/crypto-policies/back-ends/openssl.config are used.

Since you're modifying the LEGACY policy (and the files in
/etc/crypto-policies/back-ends/ are all symlinks, and I don't want to give
information that would modify any security level without regard for knowing
what security level is currenty in place): You want to modify the
/usr/share/crypto-policies/LEGACY/openssl.txt file to append ":!RC4" to
it.  You should also modify
/usr/share/crypto-policies/LEGACY/opensslcnf.txt to append ":!RC4" to the
CipherString line, and ":!RC4-SHA" to the Ciphersuites line.

There are additional files in there that refer to other services and crypto
libraries, that you may wish to change as well.  The OpenSSL support lists
don't have any information about them.

-Kyle H

On Fri, Apr 17, 2020, 09:40 Junaid Mukhtar <junaid.mukhtar at gmail.com> wrote:

> Hi Tomas
>
> Is it possible to enable legacy protocols/ciphers but disable only one. In
> particular we want RC4-SHA to be disable
>
> --------
> Regards,
> Junaid
>
>
> On Wed, Apr 15, 2020 at 5:13 PM Junaid Mukhtar <junaid.mukhtar at gmail.com>
> wrote:
>
>> Thanks a lot; It really helped
>>
>> --------
>> Regards,
>> Junaid
>>
>>
>> On Wed, Apr 15, 2020 at 5:04 PM Tomas Mraz <tmraz at redhat.com> wrote:
>>
>>> On Wed, 2020-04-15 at 16:57 +0100, Junaid Mukhtar wrote:
>>> > Hi Team
>>> >
>>> > I am trying to enable TLSv1 on CentOS-8. We don't have the ability to
>>> > upgrade the server unfortunately so we need to enable TLSv1 with
>>> > weak-ciphers on OpenSSL.
>>> >
>>> > I have tried to build the OpenSSL version manually using switches
>>> > "./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl
>>> > shared enable-weak-ssl-ciphers enable-deprecated enable-rc4 enable-
>>> > tls1 zlib" which ran successfully
>>> >
>>> > [root at 2cb6477375aa openssl-OpenSSL_1_1_1c]# openssl version
>>> > OpenSSL 1.1.1c  28 May 2019
>>> >
>>> >
>>> > But i am still not able to run the "openssl s_client -connect "
>>> > command without specifying -tls1 in it. Build accepts the weak-
>>> > ciphers but not the tls1 version.
>>> >
>>> > Can someone please help me with this?
>>>
>>> You should not need to recompile openssl or anything.
>>>
>>> Just run:
>>>
>>> update-crypto-policies --set LEGACY
>>>
>>> and restart the service that is supposed to be providing the TLS1
>>> server or reboot the machine.
>>>
>>> The LEGACY crypto policy purpose is exactly for re-enabling some of the
>>> not-up-to-date protocols and crypto algorithms.
>>>
>>> --
>>> Tomáš Mráz
>>> No matter how far down the wrong road you've gone, turn back.
>>>                                               Turkish proverb
>>> [You'll know whether the road is wrong if you carefully listen to your
>>> conscience.]
>>>
>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20200417/527cb097/attachment.html>

More information about the openssl-users mailing list