Dumb question about DES

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Dumb question about DES

Scott Neugroschl-2

Has DES been deprecated in OpenSSL?  If so, what release?  In particular the following ciphers

 

      0.19 EDH-DSS-DES-CBC3-SHA

      0.22 EDH-RSA-DES-CBC3-SHA

    192.13 ECDH-RSA-DES-CBC3-SHA

    192.3  ECDH-ECDSA-DES-CBC3-SHA

    192.18 ECDHE-RSA-DES-CBC3-SHA

    192.8  ECDHE-ECDSA-DES-CBC3-SHA

 

 

 

---

Scott Neugroschl | XYPRO Technology Corporation

4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

 

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Dumb question about DES

OpenSSL - User mailing list
Those ciphers are triple-DES, not single-DES.  (The "CBC3" gives it away ... well, not exactly.)
The single-DES ciphers were removed in release 1.1.0 (they are included in the "40 and 56 bit cipher support removed from libssl" item in the release notes), though the raw crypto primitives remain in libcrypto.

-Ben

On 05/11/2017 11:07 AM, Scott Neugroschl wrote:

Has DES been deprecated in OpenSSL?  If so, what release?  In particular the following ciphers

 

      0.19 EDH-DSS-DES-CBC3-SHA

      0.22 EDH-RSA-DES-CBC3-SHA

    192.13 ECDH-RSA-DES-CBC3-SHA

    192.3  ECDH-ECDSA-DES-CBC3-SHA

    192.18 ECDHE-RSA-DES-CBC3-SHA

    192.8  ECDHE-ECDSA-DES-CBC3-SHA

 

 

 

---

Scott Neugroschl | XYPRO Technology Corporation

4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

 

 





--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Dumb question about DES

Scott Neugroschl-2

OK.  Are the 3DES CBC ciphers still part of DEFAULT?

 

From: openssl-users [mailto:[hidden email]] On Behalf Of Benjamin Kaduk via openssl-users
Sent: Thursday, May 11, 2017 9:18 AM
To: [hidden email]
Subject: Re: [openssl-users] Dumb question about DES

 

Those ciphers are triple-DES, not single-DES.  (The "CBC3" gives it away ... well, not exactly.)
The single-DES ciphers were removed in release 1.1.0 (they are included in the "40 and 56 bit cipher support removed from libssl" item in the release notes), though the raw crypto primitives remain in libcrypto.

-Ben

On 05/11/2017 11:07 AM, Scott Neugroschl wrote:

Has DES been deprecated in OpenSSL?  If so, what release?  In particular the following ciphers

 

      0.19 EDH-DSS-DES-CBC3-SHA

      0.22 EDH-RSA-DES-CBC3-SHA

    192.13 ECDH-RSA-DES-CBC3-SHA

    192.3  ECDH-ECDSA-DES-CBC3-SHA

    192.18 ECDHE-RSA-DES-CBC3-SHA

    192.8  ECDHE-ECDSA-DES-CBC3-SHA

 

 

 

---

Scott Neugroschl | XYPRO Technology Corporation

4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

 

 



 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Dumb question about DES

OpenSSL - User mailing list
The triple-DES ciphers are not part of DEFAULT in 1.1.0e (what I happened to check).
Though, the specific list of ciphers there does not quite match with your list below, so you should double-check if necessary.

-Ben

On 05/11/2017 01:13 PM, Scott Neugroschl wrote:

OK.  Are the 3DES CBC ciphers still part of DEFAULT?

 

From: openssl-users [[hidden email]] On Behalf Of Benjamin Kaduk via openssl-users
Sent: Thursday, May 11, 2017 9:18 AM
To: [hidden email]
Subject: Re: [openssl-users] Dumb question about DES

 

Those ciphers are triple-DES, not single-DES.  (The "CBC3" gives it away ... well, not exactly.)
The single-DES ciphers were removed in release 1.1.0 (they are included in the "40 and 56 bit cipher support removed from libssl" item in the release notes), though the raw crypto primitives remain in libcrypto.

-Ben

On 05/11/2017 11:07 AM, Scott Neugroschl wrote:

Has DES been deprecated in OpenSSL?  If so, what release?  In particular the following ciphers

 

      0.19 EDH-DSS-DES-CBC3-SHA

      0.22 EDH-RSA-DES-CBC3-SHA

    192.13 ECDH-RSA-DES-CBC3-SHA

    192.3  ECDH-ECDSA-DES-CBC3-SHA

    192.18 ECDHE-RSA-DES-CBC3-SHA

    192.8  ECDHE-ECDSA-DES-CBC3-SHA

 

 

 

---

Scott Neugroschl | XYPRO Technology Corporation

4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

 

 



 





--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Dumb question about DES

Viktor Dukhovni
In reply to this post by Scott Neugroschl-2

> On May 11, 2017, at 2:13 PM, Scott Neugroschl <[hidden email]> wrote:
>
> OK.  Are the 3DES CBC ciphers still part of DEFAULT?

Normal builds of OpenSSL 1.1.0 disable the TLS 3DES ciphersuites at
compile time.  To make use of 3DES in TLS you need to configure your
OpenSSL 1.1.0 build with the "enable-weak-ssl-ciphers" option.

--
--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Dumb question about DES

Jeffrey Walton-3
In reply to this post by Scott Neugroschl-2
On Thu, May 11, 2017 at 2:13 PM, Scott Neugroschl <[hidden email]> wrote:
> OK.  Are the 3DES CBC ciphers still part of DEFAULT?

From OpenSSL 1.0.1t:

$ openssl ciphers "DEFAULT"
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-
SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SH
A:SRP-DSS-AES-256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:DHE-D
SS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DS
S-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-S
HA:DHE-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM
-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA
:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA2
56-SHA:PSK-AES256-CBC-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GC
M-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128
-SHA:ECDHE-ECDSA-AES128-SHA:SRP-DSS-AES-128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA
:SRP-AES-128-CBC-SHA:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DH
E-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128
-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAME
LLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RS
A-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES
128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA
:PSK-AES128-CBC-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:
ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:PSK-RC4-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE
-ECDSA-DES-CBC3-SHA:SRP-DSS-3DES-EDE-CBC-SHA:SRP-RSA-3DES-EDE-CBC-SHA:SRP-3
DES-EDE-CBC-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3
-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA:PSK-3DES-EDE-CBC-SHA
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Dumb question about DES

Scott Neugroschl-2
In reply to this post by Scott Neugroschl-2

So if I’m using 1.0.2, and want to deprecate 3DES, I need to do that as part of my build?

 

From: openssl-users [mailto:[hidden email]] On Behalf Of Scott Neugroschl
Sent: Thursday, May 11, 2017 11:13 AM
To: [hidden email]
Subject: Re: [openssl-users] Dumb question about DES

 

OK.  Are the 3DES CBC ciphers still part of DEFAULT?

 

From: openssl-users [[hidden email]] On Behalf Of Benjamin Kaduk via openssl-users
Sent: Thursday, May 11, 2017 9:18 AM
To: [hidden email]
Subject: Re: [openssl-users] Dumb question about DES

 

Those ciphers are triple-DES, not single-DES.  (The "CBC3" gives it away ... well, not exactly.)
The single-DES ciphers were removed in release 1.1.0 (they are included in the "40 and 56 bit cipher support removed from libssl" item in the release notes), though the raw crypto primitives remain in libcrypto.

-Ben

On 05/11/2017 11:07 AM, Scott Neugroschl wrote:

Has DES been deprecated in OpenSSL?  If so, what release?  In particular the following ciphers

 

      0.19 EDH-DSS-DES-CBC3-SHA

      0.22 EDH-RSA-DES-CBC3-SHA

    192.13 ECDH-RSA-DES-CBC3-SHA

    192.3  ECDH-ECDSA-DES-CBC3-SHA

    192.18 ECDHE-RSA-DES-CBC3-SHA

    192.8  ECDHE-ECDSA-DES-CBC3-SHA

 

 

 

---

Scott Neugroschl | XYPRO Technology Corporation

4100 Guardian Street | Suite 100 |Simi Valley, CA 93063 | Phone 805 583-2874|Fax 805 583-0124 |

 

 

 

 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Dumb question about DES

OpenSSL - User mailing list
On 05/11/2017 03:17 PM, Scott Neugroschl wrote:

So if I’m using 1.0.2, and want to deprecate 3DES, I need to do that as part of my build?



Yes.

-Ben

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Dumb question about DES

Jakob Bohm-7
In reply to this post by Scott Neugroschl-2
(keeping TOFU style to keep thread consistent).

You can also just use the cipher-list configuration option string
that an OpenSSL 1.0.x should allow passing to OpenSSL.

On 11/05/2017 22:17, Scott Neugroschl wrote:

>
> So if I’m using 1.0.2, and want to deprecate 3DES, I need to do that
> as part of my build?
>
> *From:*openssl-users [mailto:[hidden email]] *On
> Behalf Of *Scott Neugroschl
> *Sent:* Thursday, May 11, 2017 11:13 AM
> *To:* [hidden email]
> *Subject:* Re: [openssl-users] Dumb question about DES
>
> OK.  Are the 3DES CBC ciphers still part of DEFAULT?
>
> *From:*openssl-users [mailto:[hidden email]] *On
> Behalf Of *Benjamin Kaduk via openssl-users
> *Sent:* Thursday, May 11, 2017 9:18 AM
> *To:* [hidden email] <mailto:[hidden email]>
> *Subject:* Re: [openssl-users] Dumb question about DES
>
> Those ciphers are triple-DES, not single-DES.  (The "CBC3" gives it
> away ... well, not exactly.)
> The single-DES ciphers were removed in release 1.1.0 (they are
> included in the "40 and 56 bit cipher support removed from libssl"
> item in the release notes), though the raw crypto primitives remain in
> libcrypto.
>
> -Ben
>
> On 05/11/2017 11:07 AM, Scott Neugroschl wrote:
>
>     Has DES been deprecated in OpenSSL?  If so, what release?  In
>     particular the following ciphers
>
>           0.19 EDH-DSS-DES-CBC3-SHA
>
>           0.22 EDH-RSA-DES-CBC3-SHA
>
>         192.13 ECDH-RSA-DES-CBC3-SHA
>
>         192.3  ECDH-ECDSA-DES-CBC3-SHA
>
>         192.18 ECDHE-RSA-DES-CBC3-SHA
>
>         192.8  ECDHE-ECDSA-DES-CBC3-SHA
>

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users