checking for enable-weak-ssl-ciphers at runtime?

Matt Caswell matt at
Sun May 24 21:48:41 UTC 2020

On 23/05/2020 21:08, Daniel Lenski wrote:
> When OpenConnect is explicitly requested to connect to an ancient
> server, what I am currently trying to do is
> SSL_CTX_set_cipher_list(ctx, "DEFAULT:+3DES:+RC4"). However, this
> fails silently on subsequent connection if 3DES/RC4 support isn't
> available.

As long as at least one cipher is successfully set then this command
will succeed. By setting "DEFAULT" you're getting all the ciphersuites
in the default list and hence the command succeeds. If you want to test
if you have any 3DES ciphersuites available then you can try this:

SSL_CTX_set_cipher_list(ctx, "3DES")

This will succeed if at least one 3DES cipersuite is available, and fail
otherwise. Or you could do:

SSL_CTX_set_cipher_list(ctx, "3DES:RC4")

Which will succeed if there is at least one ciphersuite based on 3DES or
RC4 available, and fail otherwise.

> It was suggested that I should try EVP_get_ciphername().

The ciphers available via the EVP API are only indirectly related to the
ciphersuites available in libssl. If there are no 3DES based ciphers
available via EVP then there won't be any libssl 3DES based
ciphersuites. But the reverse is not true, i.e. 3DES may not be
available in libssl, but it is via EVP. So this is not a great test for
your purposes.


More information about the openssl-users mailing list