Re: Using weak ciphers in OpenSSL v 1.1.0e client

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Thank you Ben, but I am afraid it does not work unless I'm doing something wrong.
Here is a code snippet:
int CSSL::createCTX(SSL_CTX **ppctx, int &extError)
{
    X509_NAME *xn;
    SSL *ssl;
    X509 *pX509;
    POSITION pos;
    TCHAR name[256], *cert_file = NULL, *CAfile, certInfo[512] = _T("");
    int len, err;
    char *CApath = NULL, caFile[256];
    extError = 0;

    if(!(*ppctx = SSL_CTX_new(SSLv23_client_method()))) {
        ::ShowErrorMsg((DWORD)m_pConfig, 0, 0, SSL_ERROR_CAPTION, _T("Error creating ctx object - SSL_CTX_new() failed"));
        extError = _SSL_CTX_NEW_FAILED;
        return _SSL_ERROR;
    }

    SSL_CTX_set_options(*ppctx, 0);
    SSL_CTX_set_security_level(*ppctx, 0);    // for compatibility with weak ciphers
.
.


Gerrit van Niekerk
GP van Niekerk Ondernemings BK
Roosstraat 211, Meyerspark, 0184, South Africa
Tel: +27(12)8036501 Fax SA: 086 537 4131
Voip: 0105912084
Cell: +27(73)6891370
Email: [hidden email], [hidden email]
Web: http://www.gpvno.co.za


On Wed, Jun 7, 2017 at 6:16 PM, OpenSSL - User mailing list [via OpenSSL] <[hidden email]> wrote:
On 06/07/2017 11:13 AM, gerritvn wrote:
We are using OpenSSL in a terminal emulation product.
We recently upgraded from OpenSSL v 1.0.2g to OpenSSL v 1.1.0e.
Some servers we connect to do not support any of the strong ciphers which
are compiled by default in OpenSSL v 1.1.0e and returns an alert with
"handshake error". 
We recompiled with the option "enable-weak-ssl-ciphers", but that does not
solve the problem.
With OpenSSL v 1.0.2g one specific server selected the Cipher Suite:
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) which is shown as DES-CBC3-SHA by
OpenSSL
Listing ciphers with our OpenSSL 1.1.0e "enable-weak-ssl-ciphers" build with
the command:
openssl ciphers -v "ALL:@SECLEVEL=0" 
shows this entry:
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
This cipher is, however, not offered in the Client Hello when our client
opens the connection.

What do we need to add to our program to get our client to offer the weak
ciphers as well as the strong ones?



https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_security_level.html

-Ben

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



If you reply to this email, your message will be added to the discussion below:
http://openssl.6102.n7.nabble.com/Using-weak-ciphers-in-OpenSSL-v-1-1-0e-client-tp71061p71062.html
To unsubscribe from Using weak ciphers in OpenSSL v 1.1.0e client, click here.
NAML



View this message in context: Re: Using weak ciphers in OpenSSL v 1.1.0e client
Sent from the OpenSSL - User mailing list archive at Nabble.com.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux