On 01/06/17 18:16, Siyuan Xiang wrote: > Hi Matt, > > I tried the following command, it failed. following is my command. > > ./config enable-weak-ssl-ciphers --prefix=/opt > make > make DESTDIR=/path/to/dir INSTALL > > $ ./openssl version > OpenSSL 1.1.0e 16 Feb 2017 > > ./openssl s_client -cipher "RC4-MD5:@SECLEVEL=0" > > error setting cipher list > 140369010624144:error:140E6118:SSL > routines:SSL_CIPHER_PROCESS_RULESTR:invalid command:ssl_ciph.c:1337: > > > ./openssl ciphers "RC4-MD5:@SECLEVEL=0" > Error in cipher list > 140458428679936:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no > cipher match:ssl/ssl_lib.c:2018: That's very strange. Those exact same commands work fine for me. Are you sure you are picking up the version of 1.1.0e compiled with enable-weak-ssl-ciphers and not some other previous compilation of 1.1.0e? Matt > > However, after I change SSL_CTX_set_XXX function > orders, TLS_RSA_WITH_RC4_128_MD5 do appear in client hello cipher list. > > SSL_CTX_set_security_level(ctx, 0); > SSL_CTX_set_cipher_list(ctx, "ALL:RC4-MD5"); > > Regards, > Siyuan > --- > > On Thu, Jun 1, 2017 at 2:41 AM, Matt Caswell <matt@xxxxxxxxxxx > <mailto:matt@xxxxxxxxxxx>> wrote: > > > > On 31/05/17 21:22, Siyuan Xiang wrote: > > Hi all, > > > > I have a legacy server only accept TLS_RSA_WITH_RC4_128_MD5 cipher. > > > > I have a client using openssl 1.1.0e. It doesn't include > > TLS_RSA_WITH_RC4_128_MD5. > > I have recompiled the openssl using enable-weak-ssl-ciphers, but it > > doesn't work > > but TLS_RSA_WITH_RC4_128_SHA is in client hello message. > > > > It looks like all MD5 related ciphers are removed. I tried to > > use SSL_CTX_set_security_level to > > set level to 0. but it doesn't work. > > > > Do you have any idea how to enable TLS_RSA_WITH_RC4_128_MD5? > > How have you configured your ciphersuite list? I can get this to work in > 1.1.0 using s_server and s_client. > > Having built with "enable-weak-ssl-ciphers" I start up s_server like > this: > > $ openssl s_server -cipher "RC4-MD5:@SECLEVEL=0" > > And then run s_client like this: > > $ openssl s_client -cipher "RC4-MD5:@SECLEVEL=0" > > The connection is successful and uses the RC4-MD5 ciphersuite (aka > TLS_RSA_WITH_RC4_128_MD5). > > Matt > -- > openssl-users mailing list > To unsubscribe: > https://mta.openssl.org/mailman/listinfo/openssl-users > <https://mta.openssl.org/mailman/listinfo/openssl-users> > > > > -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
