On 17/09/18 16:29, Neil Craig wrote: > Hi all > > I'm trying to re-add 3DES support (a temporary move, due to business > requirements) to an NGINX (1.15.3) + OpenSSL (1.1.1) build via the NGINX > build flag --with-openssl-opt=enable-weak-ssl-ciphers which i learnt > from https://www.openssl.org/blog/blog/2016/08/24/sweet32/. ; > > Whilst I do see some older ciphersuites being offered by NGINX after > doing this, e.g. Camelia, Seed and so on, i don't see 3DES. I was > expecting to be able to specifically list 3DES e.g. via DES-CBC3-SHA but > that didn’t work. I have also tried adding @seclevel=0 to the > ciphersuite string in NGINX but again, that didn’t work, I don’t see any > 3DES ciphersuites available in NGINX. > > I'm wondering whether something changed between the above article and > the final version of OpenSSL 1.1.1? (I.e. Whether 3DES support was > completely removed in OpenSSL 1.1.1). > > Any pointers would be very much appreciated, I can’t find anything very > useful on the web. 3DES is still available in 1.1.1 but is no longer in the DEFAULT ciphersuite list, so unless you explicitly configure them to be available you won't see them (even if you configure with enable-weak-ssl-ciphers). E.g. (assuming you compiled with enable-weak-ssl-ciphers): $ openssl ciphers -v | grep 3DES Will give you 0 ciphers, but $ openssl ciphers -v 3DES | grep 3DES Should list 14 different 3DES ciphersuites that are available. I don't know about nginx config though so maybe someone else can help there. Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
