Thanks very much Matt. I have indeed built with NGINX configure opt --with-openssl-opt=enable-weak-ssl-cipher and whilst I don¹t see an error when running NGINX with a/some 3DES cipher(s) in the ciphers list, I don¹t see any 3DES ciphers in the output of e.g. Testssl and I can¹t make a connection to the server using openssl CLI with -cipher <3DES cipher>. I wonder if the problem might be either NGINX not respecting/processing the configure opt (above) or possibly removing 3DES ciphers for some reason with openssl 1.1.1. I¹ll keep digging, thanks again for your help and for confirming that¹s the right thing to do. Cheers Neil Craig Lead Technical Architect | Online Technology Group Broadcast Centre, London W12 7TQ | BC4 A3 Twitter: https://twitter.com/tdp_org On 17/09/2018, 17:41, "openssl-users on behalf of Matt Caswell" <openssl-users-bounces@xxxxxxxxxxx on behalf of matt@xxxxxxxxxxx> wrote: > > >On 17/09/18 16:29, Neil Craig wrote: >> Hi all >> >> I'm trying to re-add 3DES support (a temporary move, due to business >> requirements) to an NGINX (1.15.3) + OpenSSL (1.1.1) build via the NGINX >> build flag --with-openssl-opt=enable-weak-ssl-ciphers which i learnt >> from https://www.openssl.org/blog/blog/2016/08/24/sweet32/. >> >> Whilst I do see some older ciphersuites being offered by NGINX after >> doing this, e.g. Camelia, Seed and so on, i don't see 3DES. I was >> expecting to be able to specifically list 3DES e.g. via DES-CBC3-SHA but >> that didn¹t work. I have also tried adding @seclevel=0 to the >> ciphersuite string in NGINX but again, that didn¹t work, I don¹t see any >> 3DES ciphersuites available in NGINX. >> >> I'm wondering whether something changed between the above article and >> the final version of OpenSSL 1.1.1? (I.e. Whether 3DES support was >> completely removed in OpenSSL 1.1.1). >> >> Any pointers would be very much appreciated, I can¹t find anything very >> useful on the web. > >3DES is still available in 1.1.1 but is no longer in the DEFAULT >ciphersuite list, so unless you explicitly configure them to be >available you won't see them (even if you configure with >enable-weak-ssl-ciphers). > >E.g. (assuming you compiled with enable-weak-ssl-ciphers): > > >$ openssl ciphers -v | grep 3DES > >Will give you 0 ciphers, but > >$ openssl ciphers -v 3DES | grep 3DES > >Should list 14 different 3DES ciphersuites that are available. > >I don't know about nginx config though so maybe someone else can help >there. > >Matt > >-- >openssl-users mailing list >To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users ----------------------------- http://www.bbc.co.uk This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. ----------------------------- -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
