So, I have a question for this group as well, but it's in regards to this same 
issue.
What if you didn't write the application, and using the SSLCipherSuite is not 
an option as it's not running Apache?
Can someone just compile the FIPS compliant version of OpenSSL which should 
only allow strong ciphers?


Timothy Cloud
MSPRC Database Manager
Chickasaw Nation Industries

-----Original Message-----
From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] On 
Behalf Of Patrick Patterson
Sent: Monday, August 02, 2010 1:52 PM
To: openssl-dev@openssl.org
Subject: Re: how to disable weak SSL ciphers?

On July 30, 2010 10:21:06 pm Robert Feldman -X (robfeldm - Protingent Staffing 
at Cisco) wrote:
> Nessus and " openssl ciphers -v 'ALL:eNULL'" detect the following weak
> SSL ciphers on my test server:
> 
> 
> 
> NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
> 
> NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5
> 
> 
> 
> What configure options do I specify to rebuild openssl to compile out
> these weak SSL ciphers?
> 
> Specifying no-md5 should disable required ciphers such as RC4-MD5, which
> I do not want to do.
> 
> Is there an openssl config file or runtime tool to disable all ciphers
> with Enc=None?
> 
Don't rebuild OpenSSL - configure your application to only use ciphers that 
comply with whatever security requirements you have. If this is Apache, you 
can do this fairly simply by using the SSLCipherSuite httpd.conf directive. If 
you wrote the application, then prior to accepting any connections, use the  
SSL_CTX_set_cipher_list() function to set everything up the way you want.

Have fun!

-- 
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org


---------------------------------------------------------------------
CONFIDENTIALITY NOTICE
This e-mail is intended for the sole use of the individual(s) to whom it is 
addressed, and may contain information that is privileged, confidential and 
exempt from disclosure under applicable law.  You are hereby notified that any 
dissemination, duplication, or distribution of this transmission by someone 
other than the intended addressee or its designated agent is strictly 
prohibited.  If you receive this e-mail in error, please notify me immediately 
by replying to this e-mail.

---------------------------------------------------------------------


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to