> From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of > Daniel Lenski > Sent: Saturday, May 23, 2020 17:24 > > > Other than looping through all of the ciphers with SSL_get_ciphers() > > right after this… is there a better way to check for 3DES/RC4 support > > right at startup, so we can give immediate feedback that connecting to > > such a server cannot succeed? > > It was suggested that I should try EVP_get_ciphername(). > > I tested both EVP_get_cipherbyname("DES-EDE3-CBC") == NULL, and > EVP_des_ede3_cbc() == NULL, but unfortunately both of those APIs > appear insensitive to whether or not 3DES is actually supported by the > library. > > Is there another approach to check for 3DES support before actually > creating an SSL_CTX? Actually trying to encrypt something using 3DES and the EVP API? Maybe it would even fail on EVP_CipherInit. It's been a while since I used that, but something like: static const unsigned char dummy[192] = {1}; unsigned char dummy_out[8]; int outlen = 0; EVP_CIPHER_CTX *ctx = EVP_CIPHER_CTX_new(); int tdes_enabled = EVP_CipherInit(ctx, EVP_des_ede3_cbc(), dummy, dummy) && EVP_EncryptUpdate(ctx, dummy_out, &outlen, dummy, 1) && EVP_EncryptFinal(ctx, dummy_out, &outlen); EVP_CIPHER_CTX_free(ctx); Untested. -- Michael Wojcik Distinguished Engineer, Micro Focus
