So, I have a question for this group as well, but it's in regards to this same issue. What if you didn't write the application, and using the SSLCipherSuite is not an option as it's not running Apache? Can someone just compile the FIPS compliant version of OpenSSL which should only allow strong ciphers?
Timothy Cloud MSPRC Database Manager Chickasaw Nation Industries -----Original Message----- From: owner-openssl-...@openssl.org [mailto:owner-openssl-...@openssl.org] On Behalf Of Patrick Patterson Sent: Monday, August 02, 2010 1:52 PM To: openssl-dev@openssl.org Subject: Re: how to disable weak SSL ciphers? On July 30, 2010 10:21:06 pm Robert Feldman -X (robfeldm - Protingent Staffing at Cisco) wrote: > Nessus and " openssl ciphers -v 'ALL:eNULL'" detect the following weak > SSL ciphers on my test server: > > > > NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1 > > NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5 > > > > What configure options do I specify to rebuild openssl to compile out > these weak SSL ciphers? > > Specifying no-md5 should disable required ciphers such as RC4-MD5, which > I do not want to do. > > Is there an openssl config file or runtime tool to disable all ciphers > with Enc=None? > Don't rebuild OpenSSL - configure your application to only use ciphers that comply with whatever security requirements you have. If this is Apache, you can do this fairly simply by using the SSLCipherSuite httpd.conf directive. If you wrote the application, then prior to accepting any connections, use the SSL_CTX_set_cipher_list() function to set everything up the way you want. Have fun! -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org --------------------------------------------------------------------- CONFIDENTIALITY NOTICE This e-mail is intended for the sole use of the individual(s) to whom it is addressed, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. You are hereby notified that any dissemination, duplication, or distribution of this transmission by someone other than the intended addressee or its designated agent is strictly prohibited. If you receive this e-mail in error, please notify me immediately by replying to this e-mail. --------------------------------------------------------------------- ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org