Re-enable 3DES on NGINX + OpenSSL 1.1.1

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Re-enable 3DES on NGINX + OpenSSL 1.1.1

Neil Craig
Hi all

I'm trying to re-add 3DES support (a temporary move, due to business requirements) to an NGINX (1.15.3) + OpenSSL (1.1.1) build via the NGINX build flag --with-openssl-opt=enable-weak-ssl-ciphers which i learnt from https://www.openssl.org/blog/blog/2016/08/24/sweet32/. 

Whilst I do see some older ciphersuites being offered by NGINX after doing this, e.g. Camelia, Seed and so on, i don't see 3DES. I was expecting to be able to specifically list 3DES e.g. via DES-CBC3-SHA but that didn’t work. I have also tried adding @seclevel=0 to the ciphersuite string in NGINX but again, that didn’t work, I don’t see any 3DES ciphersuites available in NGINX.

I'm wondering whether something changed between the above article and the final version of OpenSSL 1.1.1? (I.e. Whether 3DES support was completely removed in OpenSSL 1.1.1).

Any pointers would be very much appreciated, I can’t find anything very useful on the web.

Cheers

Neil Craig
Lead Technical Architect | Online Technology Group
Broadcast Centre, London W12 7TQ | BC4 A3 


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Re-enable 3DES on NGINX + OpenSSL 1.1.1

Matt Caswell-2


On 17/09/18 16:29, Neil Craig wrote:

> Hi all
>
> I'm trying to re-add 3DES support (a temporary move, due to business
> requirements) to an NGINX (1.15.3) + OpenSSL (1.1.1) build via the NGINX
> build flag --with-openssl-opt=enable-weak-ssl-ciphers which i learnt
> from https://www.openssl.org/blog/blog/2016/08/24/sweet32/
>
> Whilst I do see some older ciphersuites being offered by NGINX after
> doing this, e.g. Camelia, Seed and so on, i don't see 3DES. I was
> expecting to be able to specifically list 3DES e.g. via DES-CBC3-SHA but
> that didn’t work. I have also tried adding @seclevel=0 to the
> ciphersuite string in NGINX but again, that didn’t work, I don’t see any
> 3DES ciphersuites available in NGINX.
>
> I'm wondering whether something changed between the above article and
> the final version of OpenSSL 1.1.1? (I.e. Whether 3DES support was
> completely removed in OpenSSL 1.1.1).
>
> Any pointers would be very much appreciated, I can’t find anything very
> useful on the web.

3DES is still available in 1.1.1 but is no longer in the DEFAULT
ciphersuite list, so unless you explicitly configure them to be
available you won't see them (even if you configure with
enable-weak-ssl-ciphers).

E.g. (assuming you compiled with enable-weak-ssl-ciphers):


$ openssl ciphers -v | grep 3DES

Will give you 0 ciphers, but

$ openssl ciphers -v 3DES | grep 3DES

Should list 14 different 3DES ciphersuites that are available.

I don't know about nginx config though so maybe someone else can help there.

Matt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Re-enable 3DES on NGINX + OpenSSL 1.1.1

Neil Craig
Thanks very much Matt. I have indeed built with NGINX configure opt
--with-openssl-opt=enable-weak-ssl-cipher and whilst I don¹t see an error
when running NGINX with a/some 3DES cipher(s) in the ciphers list, I don¹t
see any 3DES ciphers in the output of e.g. Testssl and I can¹t make a
connection to the server using openssl CLI with -cipher <3DES cipher>.

I wonder if the problem might be either NGINX not respecting/processing
the configure opt (above) or possibly removing 3DES ciphers for some
reason with openssl 1.1.1.

I¹ll keep digging, thanks again for your help and for confirming that¹s
the right thing to do.

Cheers

Neil Craig
Lead Technical Architect | Online Technology Group

Broadcast Centre, London W12 7TQ | BC4 A3
Twitter: https://twitter.com/tdp_org





On 17/09/2018, 17:41, "openssl-users on behalf of Matt Caswell"
<[hidden email] on behalf of [hidden email]> wrote:

>
>
>On 17/09/18 16:29, Neil Craig wrote:
>> Hi all
>>
>> I'm trying to re-add 3DES support (a temporary move, due to business
>> requirements) to an NGINX (1.15.3) + OpenSSL (1.1.1) build via the NGINX
>> build flag --with-openssl-opt=enable-weak-ssl-ciphers which i learnt
>> from https://www.openssl.org/blog/blog/2016/08/24/sweet32/.
>>
>> Whilst I do see some older ciphersuites being offered by NGINX after
>> doing this, e.g. Camelia, Seed and so on, i don't see 3DES. I was
>> expecting to be able to specifically list 3DES e.g. via DES-CBC3-SHA but
>> that didn¹t work. I have also tried adding @seclevel=0 to the
>> ciphersuite string in NGINX but again, that didn¹t work, I don¹t see any
>> 3DES ciphersuites available in NGINX.
>>
>> I'm wondering whether something changed between the above article and
>> the final version of OpenSSL 1.1.1? (I.e. Whether 3DES support was
>> completely removed in OpenSSL 1.1.1).
>>
>> Any pointers would be very much appreciated, I can¹t find anything very
>> useful on the web.
>
>3DES is still available in 1.1.1 but is no longer in the DEFAULT
>ciphersuite list, so unless you explicitly configure them to be
>available you won't see them (even if you configure with
>enable-weak-ssl-ciphers).
>
>E.g. (assuming you compiled with enable-weak-ssl-ciphers):
>
>
>$ openssl ciphers -v | grep 3DES
>
>Will give you 0 ciphers, but
>
>$ openssl ciphers -v 3DES | grep 3DES
>
>Should list 14 different 3DES ciphersuites that are available.
>
>I don't know about nginx config though so maybe someone else can help
>there.
>
>Matt
>
>--
>openssl-users mailing list
>To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



-----------------------------
http://www.bbc.co.uk
This e-mail (and any attachments) is confidential and
may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in
error, please delete it from your system.
Do not use, copy or disclose the
information in any way nor act in reliance on it and notify the sender
immediately.
Please note that the BBC monitors e-mails
sent or received.
Further communication will signify your consent to
this.
-----------------------------
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Re-enable 3DES on NGINX + OpenSSL 1.1.1

OpenSSL - User mailing list
3DES is considered to only be 112 bits in strength. The default security level is 1 (which allows most things), perhaps nginx resets the security level to 3 or greater (which means a minimum of 128-bit ciphers).

--
-Todd Short
// "One if by land, two if by sea, three if by the Internet."

On Sep 17, 2018, at 4:20 PM, Neil Craig <[hidden email]> wrote:

Thanks very much Matt. I have indeed built with NGINX configure opt
--with-openssl-opt=enable-weak-ssl-cipher and whilst I don¹t see an error
when running NGINX with a/some 3DES cipher(s) in the ciphers list, I don¹t
see any 3DES ciphers in the output of e.g. Testssl and I can¹t make a
connection to the server using openssl CLI with -cipher <3DES cipher>.

I wonder if the problem might be either NGINX not respecting/processing
the configure opt (above) or possibly removing 3DES ciphers for some
reason with openssl 1.1.1.

I¹ll keep digging, thanks again for your help and for confirming that¹s
the right thing to do.

Cheers

Neil Craig
Lead Technical Architect | Online Technology Group

Broadcast Centre, London W12 7TQ | BC4 A3
Twitter: https://twitter.com/tdp_org





On 17/09/2018, 17:41, "openssl-users on behalf of Matt Caswell"
<[hidden email] on behalf of [hidden email]> wrote:



On 17/09/18 16:29, Neil Craig wrote:
Hi all

I'm trying to re-add 3DES support (a temporary move, due to business
requirements) to an NGINX (1.15.3) + OpenSSL (1.1.1) build via the NGINX
build flag --with-openssl-opt=enable-weak-ssl-ciphers which i learnt
from https://www.openssl.org/blog/blog/2016/08/24/sweet32/.

Whilst I do see some older ciphersuites being offered by NGINX after
doing this, e.g. Camelia, Seed and so on, i don't see 3DES. I was
expecting to be able to specifically list 3DES e.g. via DES-CBC3-SHA but
that didn¹t work. I have also tried adding @seclevel=0 to the
ciphersuite string in NGINX but again, that didn¹t work, I don¹t see any
3DES ciphersuites available in NGINX.

I'm wondering whether something changed between the above article and
the final version of OpenSSL 1.1.1? (I.e. Whether 3DES support was
completely removed in OpenSSL 1.1.1).

Any pointers would be very much appreciated, I can¹t find anything very
useful on the web.

3DES is still available in 1.1.1 but is no longer in the DEFAULT
ciphersuite list, so unless you explicitly configure them to be
available you won't see them (even if you configure with
enable-weak-ssl-ciphers).

E.g. (assuming you compiled with enable-weak-ssl-ciphers):


$ openssl ciphers -v | grep 3DES

Will give you 0 ciphers, but

$ openssl ciphers -v 3DES | grep 3DES

Should list 14 different 3DES ciphersuites that are available.

I don't know about nginx config though so maybe someone else can help
there.

Matt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



-----------------------------
http://www.bbc.co.uk
This e-mail (and any attachments) is confidential and
may contain personal views which are not the views of the BBC unless specifically stated.
If you have received it in
error, please delete it from your system.
Do not use, copy or disclose the
information in any way nor act in reliance on it and notify the sender
immediately.
Please note that the BBC monitors e-mails
sent or received.
Further communication will signify your consent to
this.
-----------------------------
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users