Re: [openssl-users] Re-enable 3DES on NGINX + OpenSSL 1.1.1

[Short, Todd via openssl-users]

3DES is considered to only be 112 bits in strength. The default security level 
is 1 (which allows most things), perhaps nginx resets the security level to 3 
or greater (which means a minimum of 128-bit ciphers).

--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."

On Sep 17, 2018, at 4:20 PM, Neil Craig 
mailto:neil.cr...@bbc.co.uk>> wrote:

Thanks very much Matt. I have indeed built with NGINX configure opt
--with-openssl-opt=enable-weak-ssl-cipher and whilst I don¹t see an error
when running NGINX with a/some 3DES cipher(s) in the ciphers list, I don¹t
see any 3DES ciphers in the output of e.g. Testssl and I can¹t make a
connection to the server using openssl CLI with -cipher <3DES cipher>.

I wonder if the problem might be either NGINX not respecting/processing
the configure opt (above) or possibly removing 3DES ciphers for some
reason with openssl 1.1.1.

I¹ll keep digging, thanks again for your help and for confirming that¹s
the right thing to do.

Cheers

Neil Craig
Lead Technical Architect | Online Technology Group

Broadcast Centre, London W12 7TQ | BC4 A3
Twitter: https://twitter.com/tdp_org





On 17/09/2018, 17:41, "openssl-users on behalf of Matt Caswell"
mailto:openssl-users-boun...@openssl.org> on 
behalf of m...@openssl.org> wrote:



On 17/09/18 16:29, Neil Craig wrote:
Hi all

I'm trying to re-add 3DES support (a temporary move, due to business
requirements) to an NGINX (1.15.3) + OpenSSL (1.1.1) build via the NGINX
build flag --with-openssl-opt=enable-weak-ssl-ciphers which i learnt
from https://www.openssl.org/blog/blog/2016/08/24/sweet32/.

Whilst I do see some older ciphersuites being offered by NGINX after
doing this, e.g. Camelia, Seed and so on, i don't see 3DES. I was
expecting to be able to specifically list 3DES e.g. via DES-CBC3-SHA but
that didn¹t work. I have also tried adding @seclevel=0 to the
ciphersuite string in NGINX but again, that didn¹t work, I don¹t see any
3DES ciphersuites available in NGINX.

I'm wondering whether something changed between the above article and
the final version of OpenSSL 1.1.1? (I.e. Whether 3DES support was
completely removed in OpenSSL 1.1.1).

Any pointers would be very much appreciated, I can¹t find anything very
useful on the web.

3DES is still available in 1.1.1 but is no longer in the DEFAULT
ciphersuite list, so unless you explicitly configure them to be
available you won't see them (even if you configure with
enable-weak-ssl-ciphers).

E.g. (assuming you compiled with enable-weak-ssl-ciphers):


$ openssl ciphers -v | grep 3DES

Will give you 0 ciphers, but

$ openssl ciphers -v 3DES | grep 3DES

Should list 14 different 3DES ciphersuites that are available.

I don't know about nginx config though so maybe someone else can help
there.

Matt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



-
http://www.bbc.co.uk
This e-mail (and any attachments) is confidential and
may contain personal views which are not the views of the BBC unless 
specifically stated.
If you have received it in
error, please delete it from your system.
Do not use, copy or disclose the
information in any way nor act in reliance on it and notify the sender
immediately.
Please note that the BBC monitors e-mails
sent or received.
Further communication will signify your consent to
this.
-
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] QNX 6.5 OpenSSL Build

[Short, Todd via openssl-users]

You can add the "no-dso" option to the command line to avoid this feature, but 
you lose access to loading engines.
--
-Todd Short
// tsh...@akamai.com
// "One if by land, two if by sea, three if by the Internet."

On Sep 16, 2018, at 1:04 PM, Viktor Dukhovni 
mailto:openssl-us...@dukhovni.org>> wrote:



On Sep 16, 2018, at 11:44 AM, Murugaiyan Perumal via openssl-users 
mailto:openssl-users@openssl.org>> wrote:

dso_dlfcn.c:84:12: fatal error: dlfcn.h: No such file or directory
#  include 

http://www.qnx.com/developers/docs/6.5.0/topic/com.qnx.doc.neutrino_lib_ref/d/dlopen.html

This header is expected to be present, perhaps your system is missing
the requisite software development package, or GCC-specific headers.

--
Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] s_server -www -tls1_3: Firefox/Chrome not working

[Salz, Rich via openssl-users]

>The users who delay or block automatic updates tend to greatly overlap
with the users who actively block remote telemetry of their update
habits, thus skewing such statistics of "get almost full coverage within
a month or two".
  
But not downloads. :)

Shrug.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] s_server -www -tls1_3: Firefox/Chrome not working

[Jakob Bohm]

On 18/09/2018 19:11, Salz, Rich via openssl-users wrote:

My point was about the likelihood of last-draft browsers lingering

 on in the real world for some time (like 1 to 3 years) after the
 TLS1.3-final browser versions ship.

I do not think this is a concern.  Chrome and FF auto-update and get almost 
full coverage within a month or two, for example.  Edge hasn't shipped TLS 1.3 
yet. Safari encourages auto-update.  That's most of the browser market.

While I have already accepted the infeasibility of adding this to
OpenSSL, I will have to emphasize that your argument has a serious
flaw:

The users who delay or block automatic updates tend to greatly overlap
with the users who actively block remote telemetry of their update
habits, thus skewing such statistics of "get almost full coverage within
a month or two".


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users