You need '!aNULL:!eNULL:!LOW:!SSLv2:!EXPORT:!EXPORT56:FIPS:MEDIUM:HIGH:@STRENGTH" as the argument to SSL_CTX_set_cipher_list().
You can't get rid of MD5, as *everything* requires it. If you get rid of it, TLS v1.0 won't work, SSLv3 won't work, and I don't even know about the TLS v1.1 stuff that's going into (appropriately) OpenSSL v1.1 (and backported to v1.0.1). (Can we get TLS v1.2 in v1.2, and then start numbering based on the version of the protocol it speaks? ;) ) -Kyle H On Mon, Aug 2, 2010 at 11:52 AM, Patrick Patterson <ppatter...@carillonis.com> wrote:
On July 30, 2010 10:21:06 pm Robert Feldman -X (robfeldm - Protingent Staffing at Cisco) wrote:Nessus and " openssl ciphers -v 'ALL:eNULL'" detect the following weak SSL ciphers on my test server: NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1 NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5 What configure options do I specify to rebuild openssl to compile out these weak SSL ciphers? Specifying no-md5 should disable required ciphers such as RC4-MD5, which I do not want to do. Is there an openssl config file or runtime tool to disable all ciphers with Enc=None?Don't rebuild OpenSSL - configure your application to only use ciphers that comply with whatever security requirements you have. If this is Apache, you can do this fairly simply by using the SSLCipherSuite httpd.conf directive. If you wrote the application, then prior to accepting any connections, use the SSL_CTX_set_cipher_list() function to set everything up the way you want. Have fun! -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
smime.p7s
Description: S/MIME Cryptographic Signature
