> From: owner-openssl-us...@openssl.org On Behalf Of Dr. Stephen Henson > Sent: Thursday, 24 January, 2013 18:19
> On Thu, Jan 24, 2013, Jeffrey Walton wrote: > > > On Wed, Jan 23, 2013 at 1:20 PM, Smith, Russell (Shane), Contractor > > <russell.s.smith....@sofsa.mil> wrote: > > > I am looking for a way to disable weak ciphers in openssl. > > > I have a legacy program that uses the "default" SSL > ciphers and is not > > > configurable like apache and httpd.conf etc. > > > Is there any way I can change the actual openssl > configuration on my > > > server > > > So that only selected ciphers and protocols are available? > > The program is legacy. Is the library being used as a shared object? > > > > Is so, you can configure the library with -no-sslv2, -no-sslv3, etc. > > It can be used to remove weak/wounded/broken ciphers and protocols. > > > To be exact, you can configure a new build of the library, and use that modified library instead of the existing one. That works for protocols, notably ssl2 (I believe no v here) which is definitely damaged, and possibly ssl3 for some USgovt environments (actually secure, but prohibited by NIST). It can't exclude weak *suites* -- e.g. you can throw out RC4, but you can't throw out RC4-40-export while keeping RC4-128. > It is also possible to hand edit the SSL_DEFAULT_CIPHER_LIST > definition in ssl.h > That does suites. Especially if you like the categories OpenSSL already implements (e.g. HIGH:MEDIUM:!aNULL). If you have to name individual suites it's more tedious. Except for SSLv2 which apparently uses a different default -- but per above you don't want SSLv2 at all. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
