checking for enable-weak-ssl-ciphers at runtime?

Michael Wojcik Michael.Wojcik at
Sun May 24 20:49:46 UTC 2020

> From: openssl-users [mailto:openssl-users-bounces at] On Behalf Of
> Daniel Lenski
> Sent: Saturday, May 23, 2020 17:24
> > Other than looping through all of the ciphers with SSL_get_ciphers()
> > right after this… is there a better way to check for 3DES/RC4 support
> > right at startup, so we can give immediate feedback that connecting to
> > such a server cannot succeed?
> It was suggested that I should try EVP_get_ciphername().
> I tested both EVP_get_cipherbyname("DES-EDE3-CBC") == NULL, and
> EVP_des_ede3_cbc() == NULL, but unfortunately both of those APIs
> appear insensitive to whether or not 3DES is actually supported by the
> library.
> Is there another approach to check for 3DES support before actually
> creating an SSL_CTX?

Actually trying to encrypt something using 3DES and the EVP API? Maybe it would even fail on EVP_CipherInit.

It's been a while since I used that, but something like:

static const unsigned char dummy[192] = {1};
unsigned char dummy_out[8];
int outlen = 0;
int tdes_enabled = EVP_CipherInit(ctx, EVP_des_ede3_cbc(), dummy, dummy) &&
                   EVP_EncryptUpdate(ctx, dummy_out, &outlen, dummy, 1) &&
                   EVP_EncryptFinal(ctx, dummy_out, &outlen);


Michael Wojcik
Distinguished Engineer, Micro Focus

More information about the openssl-users mailing list