Hi Tomas Is it possible to enable legacy protocols/ciphers but disable only one. In particular we want RC4-SHA to be disable
-------- Regards, Junaid On Wed, Apr 15, 2020 at 5:13 PM Junaid Mukhtar <junaid.mukh...@gmail.com> wrote: > Thanks a lot; It really helped > > -------- > Regards, > Junaid > > > On Wed, Apr 15, 2020 at 5:04 PM Tomas Mraz <tm...@redhat.com> wrote: > >> On Wed, 2020-04-15 at 16:57 +0100, Junaid Mukhtar wrote: >> > Hi Team >> > >> > I am trying to enable TLSv1 on CentOS-8. We don't have the ability to >> > upgrade the server unfortunately so we need to enable TLSv1 with >> > weak-ciphers on OpenSSL. >> > >> > I have tried to build the OpenSSL version manually using switches >> > "./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl >> > shared enable-weak-ssl-ciphers enable-deprecated enable-rc4 enable- >> > tls1 zlib" which ran successfully >> > >> > [root@2cb6477375aa openssl-OpenSSL_1_1_1c]# openssl version >> > OpenSSL 1.1.1c 28 May 2019 >> > >> > >> > But i am still not able to run the "openssl s_client -connect " >> > command without specifying -tls1 in it. Build accepts the weak- >> > ciphers but not the tls1 version. >> > >> > Can someone please help me with this? >> >> You should not need to recompile openssl or anything. >> >> Just run: >> >> update-crypto-policies --set LEGACY >> >> and restart the service that is supposed to be providing the TLS1 >> server or reboot the machine. >> >> The LEGACY crypto policy purpose is exactly for re-enabling some of the >> not-up-to-date protocols and crypto algorithms. >> >> -- >> Tomáš Mráz >> No matter how far down the wrong road you've gone, turn back. >> Turkish proverb >> [You'll know whether the road is wrong if you carefully listen to your >> conscience.] >> >> >>
