Re: [openssl-users] Using weak ciphers in OpenSSL v 1.1.0e client
Solution found! Add the following line: SSL_CTX_set_cipher_list(*ppctx, "ALL"); -- View this message in context: http://openssl.6102.n7.nabble.com/Using-weak-ciphers-in-OpenSSL-v-1-1-0e-client-tp71061p71064.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Using weak ciphers in OpenSSL v 1.1.0e client
Thank you Ben, but I am afraid it does not work unless I'm doing something
wrong.
Here is a code snippet:
int CSSL::createCTX(SSL_CTX **ppctx, int )
{
X509_NAME *xn;
SSL *ssl;
X509 *pX509;
POSITION pos;
TCHAR name[256], *cert_file = NULL, *CAfile, certInfo[512] = _T("");
int len, err;
char *CApath = NULL, caFile[256];
extError = 0;
if(!(*ppctx = SSL_CTX_new(SSLv23_client_method( {
::ShowErrorMsg((DWORD)m_pConfig, 0, 0, SSL_ERROR_CAPTION, _T("Error
creating ctx object - SSL_CTX_new() failed"));
extError = _SSL_CTX_NEW_FAILED;
return _SSL_ERROR;
}
SSL_CTX_set_options(*ppctx, 0);
SSL_CTX_set_security_level(*ppctx, 0);// for compatibility with
weak ciphers
.
.
Gerrit van Niekerk
GP van Niekerk Ondernemings BK
Roosstraat 211, Meyerspark, 0184, South Africa
Tel: +27(12)8036501 Fax SA: 086 537 4131
Voip: 0105912084
Cell: +27(73)6891370
Email: gerri...@gpvno.co.za, gerritvn1...@gmail.com
Web: http://www.gpvno.co.za
On Wed, Jun 7, 2017 at 6:16 PM, OpenSSL - User mailing list [via OpenSSL] <
ml+s6102n71062...@n7.nabble.com> wrote:
> On 06/07/2017 11:13 AM, gerritvn wrote:
>
> We are using OpenSSL in a terminal emulation product.
> We recently upgraded from OpenSSL v 1.0.2g to OpenSSL v 1.1.0e.
> Some servers we connect to do not support any of the strong ciphers which
> are compiled by default in OpenSSL v 1.1.0e and returns an alert with
> "handshake error".
> We recompiled with the option "enable-weak-ssl-ciphers", but that does not
> solve the problem.
> With OpenSSL v 1.0.2g one specific server selected the Cipher Suite:
> TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) which is shown as DES-CBC3-SHA by
> OpenSSL
> Listing ciphers with our OpenSSL 1.1.0e "enable-weak-ssl-ciphers" build with
> the command:
> openssl ciphers -v "ALL:@SECLEVEL=0"
> shows this entry:
> DES-CBC3-SHASSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
> This cipher is, however, not offered in the Client Hello when our client
> opens the connection.
>
> What do we need to add to our program to get our client to offer the weak
> ciphers as well as the strong ones?
>
>
>
>
> https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_security_level.html
>
> -Ben
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
>
> --
> If you reply to this email, your message will be added to the discussion
> below:
> http://openssl.6102.n7.nabble.com/Using-weak-ciphers-in-
> OpenSSL-v-1-1-0e-client-tp71061p71062.html
> To unsubscribe from Using weak ciphers in OpenSSL v 1.1.0e client, click
> here
>
> .
> NAML
>
>
--
View this message in context:
http://openssl.6102.n7.nabble.com/Using-weak-ciphers-in-OpenSSL-v-1-1-0e-client-tp71061p71063.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Using weak ciphers in OpenSSL v 1.1.0e client
On 06/07/2017 11:13 AM, gerritvn wrote: > We are using OpenSSL in a terminal emulation product. > We recently upgraded from OpenSSL v 1.0.2g to OpenSSL v 1.1.0e. > Some servers we connect to do not support any of the strong ciphers which > are compiled by default in OpenSSL v 1.1.0e and returns an alert with > "handshake error". > We recompiled with the option "enable-weak-ssl-ciphers", but that does not > solve the problem. > With OpenSSL v 1.0.2g one specific server selected the Cipher Suite: > TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) which is shown as DES-CBC3-SHA by > OpenSSL > Listing ciphers with our OpenSSL 1.1.0e "enable-weak-ssl-ciphers" build with > the command: > openssl ciphers -v "ALL:@SECLEVEL=0" > shows this entry: > DES-CBC3-SHASSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 > This cipher is, however, not offered in the Client Hello when our client > opens the connection. > > What do we need to add to our program to get our client to offer the weak > ciphers as well as the strong ones? > https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_security_level.html -Ben -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Using weak ciphers in OpenSSL v 1.1.0e client
We are using OpenSSL in a terminal emulation product. We recently upgraded from OpenSSL v 1.0.2g to OpenSSL v 1.1.0e. Some servers we connect to do not support any of the strong ciphers which are compiled by default in OpenSSL v 1.1.0e and returns an alert with "handshake error". We recompiled with the option "enable-weak-ssl-ciphers", but that does not solve the problem. With OpenSSL v 1.0.2g one specific server selected the Cipher Suite: TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a) which is shown as DES-CBC3-SHA by OpenSSL Listing ciphers with our OpenSSL 1.1.0e "enable-weak-ssl-ciphers" build with the command: openssl ciphers -v "ALL:@SECLEVEL=0" shows this entry: DES-CBC3-SHASSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1 This cipher is, however, not offered in the Client Hello when our client opens the connection. What do we need to add to our program to get our client to offer the weak ciphers as well as the strong ones? -- View this message in context: http://openssl.6102.n7.nabble.com/Using-weak-ciphers-in-OpenSSL-v-1-1-0e-client-tp71061.html Sent from the OpenSSL - User mailing list archive at Nabble.com. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
