On July 30, 2010 10:21:06 pm Robert Feldman -X (robfeldm - Protingent Staffing at Cisco) wrote: > Nessus and " openssl ciphers -v 'ALL:eNULL'" detect the following weak > SSL ciphers on my test server: > > > > NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1 > > NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5 > > > > What configure options do I specify to rebuild openssl to compile out > these weak SSL ciphers? > > Specifying no-md5 should disable required ciphers such as RC4-MD5, which > I do not want to do. > > Is there an openssl config file or runtime tool to disable all ciphers > with Enc=None? > Don't rebuild OpenSSL - configure your application to only use ciphers that comply with whatever security requirements you have. If this is Apache, you can do this fairly simply by using the SSLCipherSuite httpd.conf directive. If you wrote the application, then prior to accepting any connections, use the SSL_CTX_set_cipher_list() function to set everything up the way you want.
Have fun! -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
