> From: owner-openssl-us...@openssl.org On Behalf Of Suter, Ray CTR NAVAIR, 724000D > Sent: Friday, 13 January, 2012 11:18
> Is there a way to remove a cipher completely from ever being > used? We use retina and it is picking up > DES-CBC-SHA and I need to remove it from being used, seen, or > included in any scan. > Even better is there away to remove all LOW ciphers from > being used or listed? > If you are concerned about an SSL server (or several) using OpenSSL, if the server code can call SSL_[CTX_]set_cipher_list with an appropriate (preferably configurable) string, you can disable or enable specific ciphers or groups of them. If you want to disable the ciphers OpenSSL identifies as LOW, which are the 5 implemented single-DES, use "DEFAULT:!LOW". If you are doing this to improve security, you probably want to also disable the "EXPORT" suites which have only 40-bit security level and thus are "lower than low". If your server code doesn't call _set_cipher_list at all (and can't easily be changed to) you can rebuild OpenSSL with SSL_DEFAULT_CIPHER_LIST in ssl.h patched as you desire. For a static linked application (server) you must relink and maintain that; for a dynamic linked application you usually must set up and maintain custom paths (unless yours is the *only* app using OpenSSL on this system *and* it allows changing the "system" instance, which is usually not the case on systems that are managed to best/good practices). If your server calls _set_cipher_list with a *wrong* value (or might), you can patch and rebuild OpenSSL turning off the implemented flag for each unwanted cipher table entry in s2_lib.c and s3_lib.c . (Or delete them, but that causes a greater source difference which may make support harder.) If there are multiple servers with this issue, repeat for each. If the servers are different, the solutions may be different. If the/a server is not using OpenSSL, you're in the wrong place. To prevent a connection from a client to a server using a suite, you can either disable it in the server or the client. Usually there are more clients (often many more) and less control of them, so it's easier and better to disable in the server(s). To prevent a scan seeing and listing a suite, similarly in abstract you can either disable in the server or skip it in the scan (or skip the scan entirely). But nobbling the scan is normally undesired. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
