disable weak ciphers in SSL connection
I am using the function SSL_CTX_set_cipher_list to set the ciphers supported for the SSL connection. What argument to pass to SSL_CTX_set_cipher_list to disable weak ciphers.
I tried passing ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH
but it doesn't seem to work.
My tool to detect weak cipher reports for the following as enabled still
** SSLv3:DES-CBC-SHA - ENABLED - WEAK 56 bits ** ** TLSv1:DES-CBC-SHA - ENABLED - WEAK 56 bits ** ** SSLv2:RC4-MD5 - ENABLED - WEAK 128 bits ** ** SSLv2:RC2-CBC-MD5 - ENABLED - WEAK 128 bits ** ** SSLv2:RC4-64-MD5 - ENABLED - WEAK 64 bits ** ** SSLv2:DES-CBC-MD5 - ENABLED - WEAK 56 bits ** ** SSLv2:EXP-RC4-MD5 - ENABLED - WEAK 40 bits ** ** SSLv2:EXP-RC2-CBC-MD5 - ENABLED - WEAK 40 bits ** ** SSLv2:DES-CBC3-MD5 - ENABLED - WEAK 168 bits **
What argument to pass to SSL_CTX_set_cipher_list to disable the above ciphers?
Answer
HIGH:!DSS:!aNULL@STRENGTH should work.
openssl ciphers -v 'HIGH:!DSS:!aNULL@STRENGTH' prints the following list of ciphers:
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
For a complete list of OpenSSL cipher strings and their meaning take a look at: http://www.openssl.org/docs/apps/ciphers.html