Re: enable TLS_RSA_WITH_RC4_128_MD5 in openssl 1.1.0e?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi Matt,

I tried the following command, it failed.  following is my command. 

./config enable-weak-ssl-ciphers --prefix=/opt
make
make DESTDIR=/path/to/dir INSTALL

$ ./openssl version
OpenSSL 1.1.0e  16 Feb 2017

./openssl s_client -cipher "RC4-MD5:@SECLEVEL=0"

error setting cipher list
140369010624144:error:140E6118:SSL routines:SSL_CIPHER_PROCESS_RULESTR:invalid command:ssl_ciph.c:1337:


./openssl ciphers "RC4-MD5:@SECLEVEL=0"
Error in cipher list
140458428679936:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2018:

However, after I change  SSL_CTX_set_XXX function orders, TLS_RSA_WITH_RC4_128_MD5 do appear in client hello cipher list.

    SSL_CTX_set_security_level(ctx, 0);
    SSL_CTX_set_cipher_list(ctx, "ALL:RC4-MD5");

Regards,
Siyuan
---

On Thu, Jun 1, 2017 at 2:41 AM, Matt Caswell <matt@xxxxxxxxxxx> wrote:


On 31/05/17 21:22, Siyuan Xiang wrote:
> Hi all,
>
> I have a legacy server only accept TLS_RSA_WITH_RC4_128_MD5 cipher.
>
> I have a client using openssl 1.1.0e. It doesn't include
> TLS_RSA_WITH_RC4_128_MD5.
> I have recompiled the openssl using  enable-weak-ssl-ciphers, but it
> doesn't work
> but  TLS_RSA_WITH_RC4_128_SHA  is in client hello message.
>
> It looks like all MD5 related ciphers are removed.  I tried to
> use SSL_CTX_set_security_level to
> set level to 0. but it doesn't work.
>
> Do you have any idea how to enable TLS_RSA_WITH_RC4_128_MD5?

How have you configured your ciphersuite list? I can get this to work in
1.1.0 using s_server and s_client.

Having built with "enable-weak-ssl-ciphers" I start up s_server like this:

$ openssl s_server -cipher "RC4-MD5:@SECLEVEL=0"

And then run s_client like this:

$ openssl s_client -cipher "RC4-MD5:@SECLEVEL=0"

The connection is successful and uses the RC4-MD5 ciphersuite (aka
TLS_RSA_WITH_RC4_128_MD5).

Matt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux