On 23/05/2020 21:08, Daniel Lenski wrote: > When OpenConnect is explicitly requested to connect to an ancient > server, what I am currently trying to do is > SSL_CTX_set_cipher_list(ctx, "DEFAULT:+3DES:+RC4"). However, this > fails silently on subsequent connection if 3DES/RC4 support isn't > available. As long as at least one cipher is successfully set then this command will succeed. By setting "DEFAULT" you're getting all the ciphersuites in the default list and hence the command succeeds. If you want to test if you have any 3DES ciphersuites available then you can try this: SSL_CTX_set_cipher_list(ctx, "3DES") This will succeed if at least one 3DES cipersuite is available, and fail otherwise. Or you could do: SSL_CTX_set_cipher_list(ctx, "3DES:RC4") Which will succeed if there is at least one ciphersuite based on 3DES or RC4 available, and fail otherwise. > It was suggested that I should try EVP_get_ciphername(). The ciphers available via the EVP API are only indirectly related to the ciphersuites available in libssl. If there are no 3DES based ciphers available via EVP then there won't be any libssl 3DES based ciphersuites. But the reverse is not true, i.e. 3DES may not be available in libssl, but it is via EVP. So this is not a great test for your purposes. Matt
