disable weak ciphers in SSL connection

Ravi picture Ravi · Sep 23, 2010 · Viewed 44.3k times · Source

I am using the function SSL_CTX_set_cipher_list to set the ciphers supported for the SSL connection. What argument to pass to SSL_CTX_set_cipher_list to disable weak ciphers.

I tried passing ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH

but it doesn't seem to work.

My tool to detect weak cipher reports for the following as enabled still

** SSLv3:DES-CBC-SHA - ENABLED - WEAK 56 bits **

** TLSv1:DES-CBC-SHA - ENABLED - WEAK 56 bits **

** SSLv2:RC4-MD5 - ENABLED - WEAK 128 bits **
** SSLv2:RC2-CBC-MD5 - ENABLED - WEAK 128 bits **
** SSLv2:RC4-64-MD5 - ENABLED - WEAK 64 bits **
** SSLv2:DES-CBC-MD5 - ENABLED - WEAK 56 bits **
** SSLv2:EXP-RC4-MD5 - ENABLED - WEAK 40 bits **
** SSLv2:EXP-RC2-CBC-MD5 - ENABLED - WEAK 40 bits **
** SSLv2:DES-CBC3-MD5 - ENABLED - WEAK 168 bits **

What argument to pass to SSL_CTX_set_cipher_list to disable the above ciphers?

Answer

Gerhard Schlager picture Gerhard Schlager · Sep 23, 2010

HIGH:!DSS:!aNULL@STRENGTH should work.

openssl ciphers -v 'HIGH:!DSS:!aNULL@STRENGTH' prints the following list of ciphers:

DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

For a complete list of OpenSSL cipher strings and their meaning take a look at: http://www.openssl.org/docs/apps/ciphers.html