How to enable 3DES SSL Ciphers for OpenSSL 1.0.2k

OpenSSL 1.0.2k has removed 3DES ciphers in default which means some legacy browsers (e.g. IE8 on Windows XP) can no longer be supported.

According to OpenSSL official blog, to re-enable 3DES ciphers, we should add enable-weak-ssl-ciphers flag when compiling.

So, how to cope with that? Any other flags required when compiling? Plus, Can I cover the Openssl installed by DPKG(Debian Package manage tool) with the self-compiled, 3DES-enabled version? If it's practicable, How to?

Thanks :-)

Hardrain

Posted 2017-02-16T02:20:24.337

Reputation: 61

Surely WinXP supports more than just 3DES? – user1686 – 2017-02-16T07:39:55.773

Answers

Since I haven't got any helpful answer to solve that issue, I'd like to share what I've done on it.

First you should get the tools for building software and the dependencies for OpenSSL.(e.g. On Debian-like distros)

apt install build-essential make zlib1g-dev libxml2-dev

Then get the latest release of OpenSSL, verify the signature and compile it with the option enable-weak-ssl-ciphers, if you want to regain the support of obsolete SSLv3 for the GOD D**N Microsoft IE6, enable-ssl3andenable-ssl3-methodshould also be append to the compile option.

Don't forgot the shared flag or libssl.so and libcrypto.so won't be built, and use -Wl,-rpath= to tell the linker(ld) to link shared libraries in which directory.

wget https://www.openssl.org/source/openssl-1.0.2o.tar.gz
sha256sum openssl-1.0.2o.tar.gz
curl https://www.openssl.org/source/openssl-1.0.2o.tar.gz.sha256

tar -zxvf openssl-1.0.2o.tar.gz
cd openssl-1.0.2o/

./config --prefix=/opt/openssl-1.0.2 \
--openssldir=/etc/ssl \
shared enable-weak-ssl-ciphers \
-Wl,-rpath=/opt/openssl-1.0.2/lib

make
make install

After that, your custom version of OpenSSL will be installed into /opt/openssl-1.0.2 (rather than cover the version shipped with your OS).

Your applications may also have to be re-compiled, with these options to force the linker to link your custom version of OpenSSL libraries (Override the config from /etc/ld.so.conf or PKGCONFIG variable)

LDFLAGS="-L/opt/openssl-1.0.2/lib -lssl -lcrypto -Wl,-rpath=/opt/openssl-1.0.2/lib"

You can also try OpenSSL 1.1.0, since most of applications are now support the API of it.

Hardrain

Posted 2017-02-16T02:20:24.337

Reputation: 61

You will need:

Rebuilding the Debian's OpenSSL package—the version included in your Debian release.
Hosting it somewhere to make it available on all the machines you want it to replace the original one.
Making sure you rebuild your custom version each time the stock OpenSSL package gets a security update (and hence its new patched version is released through the security updates channel).

Unfortunately, all the steps above require further expansion, so the main question I have is are you sure triple-DES is disabled in stock Debian builds? On my Stretch system I have:

$ openssl version
OpenSSL 1.1.0c  10 Nov 2016

$ openssl list -cipher-algorithms | grep -i des
DES => DES-CBC
DES-CBC
DES-CFB
DES-CFB1
DES-CFB8
DES-ECB
DES-EDE
DES-EDE-CBC
DES-EDE-CFB
DES-EDE-ECB => DES-EDE
DES-EDE-OFB
DES-EDE3
DES-EDE3-CBC
DES-EDE3-CFB
DES-EDE3-CFB1
DES-EDE3-CFB8
DES-EDE3-ECB => DES-EDE3
DES-EDE3-OFB
DES-OFB
DES3 => DES-EDE3-CBC
DESX => DESX-CBC
DESX-CBC
des => DES-CBC
DES-CBC
DES-CFB
DES-CFB1
DES-CFB8
DES-ECB
DES-EDE
DES-EDE-CBC
DES-EDE-CFB
des-ede-ecb => DES-EDE
DES-EDE-OFB
DES-EDE3
DES-EDE3-CBC
DES-EDE3-CFB
DES-EDE3-CFB1
DES-EDE3-CFB8
des-ede3-ecb => DES-EDE3
DES-EDE3-OFB
DES-OFB
des3 => DES-EDE3-CBC
des3-wrap => id-smime-alg-CMS3DESwrap
desx => DESX-CBC
DESX-CBC
id-smime-alg-CMS3DESwrap

$ openssl list -disabled
Disabled algorithms:
BLAKE2
HEARTBEATS
IDEA
MD2
MDC2
RC5
SCTP
SSL3
ZLIB

Which, to me, suggests that I have a way more recent OpenSSL version than the one you're talking about, and it has 3DES supported.

So, did you test?

kostix

Posted 2017-02-16T02:20:24.337

Reputation: 2 435