Re: DES-only OpenSSL version: technical aspects

Fri, 15 Aug 2008 08:24:42 -0700 

Fred Picher wrote:
> Hello,
>
> Thanks for your reply.  
>
>   
>> If this is not sufficient you may check out ssl/sslv3.c etc and
>> actually remove the ciphers you don't want to support in your
>> libssl from the registration tables.
>>     
>
> As a test, I've commented out every cipher definition in
> ssl/s3_lib.c, like this example:
>
> The list is:
>
> OPENSSL_GLOBAL SSL_CIPHER ssl3_ciphers[]={ [...] }
>
> And a typical commented entry is:
>
> /* Cipher 05 */
> /*
>       {
>       1,
>       SSL3_TXT_RSA_RC4_128_SHA,
>       SSL3_CK_RSA_RC4_128_SHA,
>       SSL_kRSA|SSL_aRSA|SSL_RC4  |SSL_SHA1|SSL_SSLV3,
>       SSL_NOT_EXP|SSL_MEDIUM,
>       0,
>       128,
>       128,
>       SSL_ALL_CIPHERS,
>       SSL_ALL_STRENGTHS,
>       },
> */
>
> None are left uncommented.  But still, after make clean,
> Configure, make depend, make and installation, the system
> reports:
>
> openssl ciphers -v
> DES-CBC3-MD5            SSLv2 Kx=RSA      Enc=3DES(168) Mac=MD5
> RC2-CBC-MD5             SSLv2 Kx=RSA      Enc=RC2(128)  Mac=MD5
> RC4-MD5                 SSLv2 Kx=RSA      Enc=RC4(128)  Mac=MD5
> DES-CBC-MD5             SSLv2 Kx=RSA      Enc=DES(56)   Mac=MD5
> EXP-RC2-CBC-MD5         SSLv2 Kx=RSA(512) Enc=RC2(40)   Mac=MD5  export
> EXP-RC4-MD5             SSLv2 Kx=RSA(512) Enc=RC4(40)   Mac=MD5  export
>
> Which is much less than before but, where are these coming from
> since eveything is commented out ?  I do not mind that much the
> low encryption ciphers, but the first three are a bother.  I can
> add more of the low encryption ciphers by uncommenting their
> respective declaration, but I cannot get rid of the first three.
>
> Now, 3DES might by somehow dynamically added to the list when DES
> is present.  That could make sense and would mean that the actual
> DES-specific code would have to be modified to separate 3DES.
>
> Would that be also the case for the two high-crypto RC2 and RC4 ?
> Can they be variations added dynamically to the cipher list and
> not have a proper static definition in ssl/s3_lib.c 
You did not read the fine print :-) The ciphers listed apply to SSLv2
second column of the output above.
Hence you have to edit ssl/s2_lib.c as well (that was the "etc" :-)

Best regards,
    Lutz
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to