On 06/07/2017 11:13 AM, gerritvn wrote:We are using OpenSSL in a terminal emulation product. We recently upgraded from OpenSSL v 1.0.2g to OpenSSL v 1.1.0e. Some servers we connect to do not support any of the strong ciphers which are compiled by default in OpenSSL v 1.1.0e and returns an alert with "handshake error". We recompiled with the option "enable-weak-ssl-ciphers", but that does not solve the problem. With OpenSSL v 1.0.2g one specific server selected the Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) which is shown as DES-CBC3-SHA by OpenSSL Listing ciphers with our OpenSSL 1.1.0e "enable-weak-ssl-ciphers" build with the command: openssl ciphers -v "ALL:@SECLEVEL=0" shows this entry: DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 This cipher is, however, not offered in the Client Hello when our client opens the connection. What do we need to add to our program to get our client to offer the weak ciphers as well as the strong ones? https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_security_level.html -Ben |
-- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
