Quantcast

How to enable RC4 in OpenSSL 1.1.0c

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

How to enable RC4 in OpenSSL 1.1.0c

Chris Clark
I am trying to compile OpenSSL 1.1.0c for Visual Studio with the
depreciated RC4 cipher enabled.

I tried the following configure line:
perl Configure VC-WIN64A enable-weak-ssl-ciphers enable-deprecated enable-rc4


Once I compile, and I run "openssl cipher -v" it does not show any RC4 ciphers.
Is there another parameter needed?

I would also like to know, is it possible to also enable the
depreciated SSL3 ciphers?

-Chris
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to enable RC4 in OpenSSL 1.1.0c

Viktor Dukhovni
On Wed, Jan 18, 2017 at 03:30:12PM -0800, Chris Clark wrote:

> I am trying to compile OpenSSL 1.1.0c for Visual Studio with the
> depreciated RC4 cipher enabled.

The "Configure" script includes embedded documentation for the
available options.

    # enable-weak-ssl-ciphers
    #               Enable weak ciphers that are disabled by default. This currently
    #               only includes RC4 based ciphers.

> I tried the following configure line:
> perl Configure VC-WIN64A enable-weak-ssl-ciphers enable-deprecated enable-rc4
>
>
> Once I compile, and I run "openssl cipher -v" it does not show any RC4 ciphers.
> Is there another parameter needed?

Which "openssl" command did you run and against which libraries?
Report the output of "openssl version -a".

> I would also like to know, is it possible to also enable the
> depreciated SSL3 ciphers?

Do you mean the ciphers or the protocol?  Many SSLv3 ciphers are
still needed for interoperable TLS 1.0/1.1/1.2

--
        Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to enable RC4 in OpenSSL 1.1.0c

Chris Clark
On Wed, Jan 18, 2017 at 3:37 PM, Viktor Dukhovni
<[hidden email]> wrote:

>> I am trying to compile OpenSSL 1.1.0c for Visual Studio with the
> >depreciated RC4 cipher enabled.

>> I tried the following configure line:
>> perl Configure VC-WIN64A enable-weak-ssl-ciphers enable-deprecated enable-rc4
>>
> > Once I compile, and I run "openssl ciphers -v" it does not show any RC4 ciphers.
> > Is there another parameter needed?
>
> Which "openssl" command did you run and against which libraries?
> Report the output of "openssl version -a".

OpenSSL 1.1.0c  10 Nov 2016
built on: reproducible build, date unspecified
platform:
compiler: cl " "VC-WIN64A
OPENSSLDIR: "c:\openssl64"
ENGINESDIR: "C:\openssl64\lib\engines-1_1"


Here is the batch file I used:
SET PREFIX=C:\openssl64
SET OPENSSLDIR=C:\openssl64
perl Configure VC-WIN64A enable-weak-ssl-ciphers enable-deprecated enable-rc4
nmake

>> I would also like to know, is it possible to also enable the depreciated SSL3
>> ciphers?
>
> Do you mean the ciphers or the protocol?  Many SSLv3 ciphers are
> still needed for interoperable TLS 1.0/1.1/1.2

Sorry, I meant to say the SSLv3 protocol.

-Chris
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to enable RC4 in OpenSSL 1.1.0c

Viktor Dukhovni

> On Jan 18, 2017, at 8:29 PM, Chris Clark <[hidden email]> wrote:
>
> OpenSSL 1.1.0c  10 Nov 2016
> built on: reproducible build, date unspecified
> platform:
> compiler: cl " "VC-WIN64A
> OPENSSLDIR: "c:\openssl64"
> ENGINESDIR: "C:\openssl64\lib\engines-1_1"

Sadly this does not shed much light on the build options.

>>> I would also like to know, is it possible to also enable the depreciated SSL3
>>> ciphers?
>>
>> Do you mean the ciphers or the protocol?  Many SSLv3 ciphers are
>> still needed for interoperable TLS 1.0/1.1/1.2
>
> Sorry, I meant to say the SSLv3 protocol.

For that "enable-ssl3" and "enable-ssl3-method".

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to enable RC4 in OpenSSL 1.1.0c

Salz, Rich
In reply to this post by Chris Clark
> Once I compile, and I run "openssl cipher -v" it does not show any RC4
> ciphers.
> Is there another parameter needed?

In addition to what Viktor said, you need to say "ALL" because RC4 is still not part of DEFAULT.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to enable RC4 in OpenSSL 1.1.0c

Chris Clark
In reply to this post by Viktor Dukhovni
On Wed, Jan 18, 2017 at 7:01 PM, Viktor Dukhovni
<[hidden email]> wrote:

> Sadly this does not shed much light on the build options.

Here is more info, and now I added the "enable-ssl3" and
"enable-ssl3-method" options:

c:\openssl-1.1.0c64>perl Configure VC-WIN64A enable-weak-ssl-ciphers
enable-deprecated enable-rc4 enable-ssl3 enable-ssl3-method
Configuring OpenSSL version 1.1.0c (0x1010003fL)
    no-asan         [default]  OPENSSL_NO_ASAN
    no-crypto-mdebug [default]  OPENSSL_NO_CRYPTO_MDEBUG
    no-crypto-mdebug-backtrace [default]  OPENSSL_NO_CRYPTO_MDEBUG_BACKTRACE
    no-ec_nistp_64_gcc_128 [default]  OPENSSL_NO_EC_NISTP_64_GCC_128
    no-egd          [default]  OPENSSL_NO_EGD
    no-fuzz-afl     [default]  OPENSSL_NO_FUZZ_AFL
    no-fuzz-libfuzzer [default]  OPENSSL_NO_FUZZ_LIBFUZZER
    no-heartbeats   [default]  OPENSSL_NO_HEARTBEATS
    no-md2          [default]  OPENSSL_NO_MD2 (skip dir)
    no-msan         [default]  OPENSSL_NO_MSAN
    no-rc5          [default]  OPENSSL_NO_RC5 (skip dir)
    no-sctp         [default]  OPENSSL_NO_SCTP
    no-ssl-trace    [default]  OPENSSL_NO_SSL_TRACE
    no-ubsan        [default]  OPENSSL_NO_UBSAN
    no-unit-test    [default]  OPENSSL_NO_UNIT_TEST
    no-zlib         [default]
    no-zlib-dynamic [default]
Configuring for VC-WIN64A

It looks like you don't have either nmake.exe or dmake.exe on your PATH,
so you will not be able to execute the commands from a Makefile.  You can
install dmake.exe with the Perl Package Manager by running:
    ppm install dmake

CC            =cl
CFLAG         =-W3 -wd4090 -Gs0 -GF -Gy -nologo -DOPENSSL_SYS_WIN32
-DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE -DUNICODE
-D_UNICODE /MD /O2
SHARED_CFLAG  =
DEFINES       =OPENSSL_USE_APPLINK DSO_WIN32 NDEBUG OPENSSL_THREADS
OPENSSL_NO_STATIC_ENGINE OPENSSL_PIC OPENSSL_IA32_SSE2
OPENSSL_BN_ASM_MONT OPENSSL_BN_ASM_MONT5 OPENSSL_BN_ASM_GF2m SHA1_ASM
SHA256_ASM SHA512_ASM RC4_ASM MD5_ASM AES_ASM VPAES_ASM BSAES_ASM
GHASH_ASM ECP_NISTZ256_ASM POLY1305_ASM
LFLAG         =/nologo /debug
PLIB_LFLAG    =
EX_LIBS       =ws2_32.lib gdi32.lib advapi32.lib crypt32.lib user32.lib
APPS_OBJ      =win32_init.o ../ms/applink.o
CPUID_OBJ     =x86_64cpuid.o
UPLINK_OBJ    =../ms/uplink.o uplink-x86_64.o
BN_ASM        =bn_asm.o x86_64-mont.o x86_64-mont5.o x86_64-gf2m.o
rsaz_exp.o rsaz-x86_64.o rsaz-avx2.o
EC_ASM        =ecp_nistz256.o ecp_nistz256-x86_64.o
DES_ENC       =des_enc.o fcrypt_b.o
AES_ENC       =aes-x86_64.o vpaes-x86_64.o bsaes-x86_64.o
aesni-x86_64.o aesni-sha1-x86_64.o aesni-sha256-x86_64.o
aesni-mb-x86_64.o
BF_ENC        =bf_enc.o
CAST_ENC      =c_enc.o
RC4_ENC       =rc4-x86_64.o rc4-md5-x86_64.o
RC5_ENC       =rc5_enc.o
MD5_OBJ_ASM   =md5-x86_64.o
SHA1_OBJ_ASM  =sha1-x86_64.o sha256-x86_64.o sha512-x86_64.o
sha1-mb-x86_64.o sha256-mb-x86_64.o
RMD160_OBJ_ASM=
CMLL_ENC      =cmll-x86_64.o cmll_misc.o
MODES_OBJ     =ghash-x86_64.o aesni-gcm-x86_64.o
PADLOCK_OBJ   =e_padlock-x86_64.o
CHACHA_ENC    =chacha-x86_64.o
POLY1305_OBJ  =poly1305-x86_64.o
BLAKE2_OBJ    =
PROCESSOR     =
RANLIB        =true
ARFLAGS       =/nologo
PERL          =c:\perl\bin\perl.exe
SIXTY_FOUR_BIT mode
Configured for VC-WIN64A.


Notice it says that dmake.exe is not in my path, but this appears to
be a bug as I am running this from a Visual Studio 2008 x64 Command
Prompt, and nmake.exe is indeed in the path, located in:
c:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\bin\amd64

Here is the batch file which I use:
SET PREFIX=C:\openssl64
SET OPENSSLDIR=C:\openssl64
perl Configure VC-WIN64A enable-weak-ssl-ciphers enable-deprecated
enable-rc4 enable-ssl3 enable-ssl3-method
nmake


Here is my development environment:
Windows 10 Professional
Visual Studio 2008 version 9.0.30729.1 SP1
ActivePerl version 5.22.2
NASM version 2.12.02

nmake compiles without errors, though there are many "conversion from
size_t" warnings.
The results of running "openssl.exe ciphers -v" which I do not find
any RC4 ciphers:

ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA
Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=ECDSA
Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH     Au=RSA
Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH       Au=RSA
Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA
Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
RSA-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-PSK-AES256-GCM-SHA384 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(256) Mac=AEAD
RSA-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=RSAPSK   Au=RSA
Enc=CHACHA20/POLY1305(256) Mac=AEAD
DHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=DHEPSK   Au=PSK
Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-PSK-CHACHA20-POLY1305 TLSv1.2 Kx=ECDHEPSK Au=PSK
Enc=CHACHA20/POLY1305(256) Mac=AEAD
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
PSK-AES256-GCM-SHA384   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(256) Mac=AEAD
PSK-CHACHA20-POLY1305   TLSv1.2 Kx=PSK      Au=PSK
Enc=CHACHA20/POLY1305(256) Mac=AEAD
RSA-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=RSAPSK   Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-PSK-AES128-GCM-SHA256 TLSv1.2 Kx=DHEPSK   Au=PSK  Enc=AESGCM(128) Mac=AEAD
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
PSK-AES128-GCM-SHA256   TLSv1.2 Kx=PSK      Au=PSK  Enc=AESGCM(128) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA384
ECDHE-PSK-AES256-CBC-SHA SSLv3 Kx=ECDHEPSK Au=PSK  Enc=AES(256)  Mac=SHA1
SRP-RSA-AES-256-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(256)  Mac=SHA1
SRP-AES-256-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(256)  Mac=SHA1
RSA-PSK-AES256-CBC-SHA384 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA384
DHE-PSK-AES256-CBC-SHA384 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA384
RSA-PSK-AES256-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-PSK-AES256-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
PSK-AES256-CBC-SHA384   TLSv1 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA384
PSK-AES256-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(256)  Mac=SHA1
ECDHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA256
ECDHE-PSK-AES128-CBC-SHA SSLv3 Kx=ECDHEPSK Au=PSK  Enc=AES(128)  Mac=SHA1
SRP-RSA-AES-128-CBC-SHA SSLv3 Kx=SRP      Au=RSA  Enc=AES(128)  Mac=SHA1
SRP-AES-128-CBC-SHA     SSLv3 Kx=SRP      Au=SRP  Enc=AES(128)  Mac=SHA1
RSA-PSK-AES128-CBC-SHA256 TLSv1 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-PSK-AES128-CBC-SHA256 TLSv1 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA256
RSA-PSK-AES128-CBC-SHA  SSLv3 Kx=RSAPSK   Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-PSK-AES128-CBC-SHA  SSLv3 Kx=DHEPSK   Au=PSK  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
PSK-AES128-CBC-SHA256   TLSv1 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA256
PSK-AES128-CBC-SHA      SSLv3 Kx=PSK      Au=PSK  Enc=AES(128)  Mac=SHA1

-Chris
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to enable RC4 in OpenSSL 1.1.0c

Matt Caswell-2


On 19/01/17 17:59, Chris Clark wrote:
> On Wed, Jan 18, 2017 at 7:01 PM, Viktor Dukhovni
> <[hidden email]> wrote:
>
>> Sadly this does not shed much light on the build options.
>
> Here is more info, and now I added the "enable-ssl3" and
> "enable-ssl3-method" options:

If all you want is RC4 (which you can have without SSLv3 if you want
it), then all you need to add is enable-weak-ssl-ciphers


> It looks like you don't have either nmake.exe or dmake.exe on your PATH,
> so you will not be able to execute the commands from a Makefile.  You can
> install dmake.exe with the Perl Package Manager by running:
>     ppm install dmake
...
>
> Notice it says that dmake.exe is not in my path, but this appears to
> be a bug as I am running this from a Visual Studio 2008 x64 Command
> Prompt, and nmake.exe is indeed in the path, located in:
> c:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\bin\amd64

That message doesn't come from OpenSSL. It's a bug in perl.


thout errors, though there are many "conversion from
> size_t" warnings.
> The results of running "openssl.exe ciphers -v" which I do not find
> any RC4 ciphers:

Try this:

openssl ciphers -v "ALL:@SECLEVEL=0"

Matt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to enable RC4 in OpenSSL 1.1.0c

Benjamin Kaduk
In reply to this post by Chris Clark
On 01/19/2017 11:59 AM, Chris Clark wrote:
Notice it says that dmake.exe is not in my path, but this appears to
be a bug as I am running this from a Visual Studio 2008 x64 Command
Prompt, and nmake.exe is indeed in the path, located in:
c:\Program Files (x86)\Microsoft Visual Studio 9.0\VC\bin\amd64

This is a known bug; something about "use Config;" triggers it but no one figured out a way to prevent it from happening. (https://mta.openssl.org/pipermail/openssl-users/2017-January/005071.html)

-Ben

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: How to enable RC4 in OpenSSL 1.1.0c

Chris Clark
In reply to this post by Matt Caswell-2
On Thu, Jan 19, 2017 at 10:36 AM, Matt Caswell <[hidden email]> wrote:

> Try this:
>
> openssl ciphers -v "ALL:@SECLEVEL=0"

Okay that worked! Thanks to everyone that responded. I saw Rich Salz
mentioned using ALL, but I didn't realize it was a parameter.

-Chris
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Loading...