Enabled weak cipher suites

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Enabled weak cipher suites

John Jiang
Hi,
I'm using s_server and s_client from OpenSSL 1.1.1.
It looks the weak cipher suites, like SSL_RSA_WITH_RC4_128_MD5, are disabled.
Is there any way to re-enable these cipher suites?

Thanks!
Reply | Threaded
Open this post in threaded view
|

Re: Enabled weak cipher suites

Dr Paul Dale
Yes there is but it will require a reconfigure and a recompile.

The big question is: "why?”
RC4 and MD5 are both considered broken.


Pauli
-- 
Dr Paul Dale | Cryptographer | Network Security & Encryption 
Phone +61 7 3031 7217
Oracle Australia



On 26 Jun 2019, at 11:41 am, John Jiang <[hidden email]> wrote:

Hi,
I'm using s_server and s_client from OpenSSL 1.1.1.
It looks the weak cipher suites, like SSL_RSA_WITH_RC4_128_MD5, are disabled.
Is there any way to re-enable these cipher suites?

Thanks!

Reply | Threaded
Open this post in threaded view
|

Re: Enabled weak cipher suites

Dennis Clarke-2
In reply to this post by John Jiang
On 6/25/19 9:41 PM, John Jiang wrote:
> Hi,
> I'm using s_server and s_client from OpenSSL 1.1.1.
> It looks the weak cipher suites, like SSL_RSA_WITH_RC4_128_MD5, are
> disabled.
> Is there any way to re-enable these cipher suites?

Fairly certain that is a configuration option however I have not
bothered with those since 1.0.2 or so.


--
Dennis Clarke
RISC-V/SPARC/PPC/ARM/CISC
UNIX and Linux spoken
GreyBeard and suspenders optional
Reply | Threaded
Open this post in threaded view
|

Re: Enabled weak cipher suites

John Jiang
In reply to this post by Dr Paul Dale
On Wed, Jun 26, 2019 at 2:59 PM Dr Paul Dale <[hidden email]> wrote:
Yes there is but it will require a reconfigure and a recompile.
Could you please show me more details about it?
Which option(s) should be used for configuring and compiling?
 

The big question is: "why?”
RC4 and MD5 are both considered broken.
Don't worry, just for some testing.

Thanks!



Pauli
-- 
Dr Paul Dale | Cryptographer | Network Security & Encryption 
Phone +61 7 3031 7217
Oracle Australia



On 26 Jun 2019, at 11:41 am, John Jiang <[hidden email]> wrote:

Hi,
I'm using s_server and s_client from OpenSSL 1.1.1.
It looks the weak cipher suites, like SSL_RSA_WITH_RC4_128_MD5, are disabled.
Is there any way to re-enable these cipher suites?

Thanks!

Reply | Threaded
Open this post in threaded view
|

Re: Enabled weak cipher suites

Matt Caswell-2


On 26/06/2019 12:18, John Jiang wrote:
> On Wed, Jun 26, 2019 at 2:59 PM Dr Paul Dale <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     Yes there is but it will require a reconfigure and a recompile.
>
> Could you please show me more details about it?
> Which option(s) should be used for configuring and compiling?

To compile in support for weak ciphersuites:

$ ./config enable-weak-ssl-ciphers

And then make/make test/make install as usual.

Once support is compiled in the weak ciphersuites are still not enabled in the
"DEFAULT" set of ciphersuites - you have to explicitly enable them at run time, e.g.

$ openssl s_server -no_tls1_3 -cipher "RC4-MD5:@SECLEVEL=0"

$ openssl s_client -no_tls1_3 -cipher "RC4-MD5:@SECLEVEL=0"

Matt

>  
>
>
>     The big question is: "why?”
>     RC4 and MD5 are both considered broken.
>
> Don't worry, just for some testing.
>
> Thanks!
>
>
>
>     Pauli
>     -- 
>     Dr Paul Dale | Cryptographer | Network Security & Encryption 
>     Phone +61 7 3031 7217
>     Oracle Australia
>
>
>
>>     On 26 Jun 2019, at 11:41 am, John Jiang <[hidden email]
>>     <mailto:[hidden email]>> wrote:
>>
>>     Hi,
>>     I'm using s_server and s_client from OpenSSL 1.1.1.
>>     It looks the weak cipher suites, like SSL_RSA_WITH_RC4_128_MD5, are disabled.
>>     Is there any way to re-enable these cipher suites?
>>
>>     Thanks!
>