How to enable 3DES SSL Ciphers for OpenSSL 1.0.2k
Since I haven't got any helpful answer to solve that issue, I'd like to share what I've done on it.
First you should get the tools for building software and the dependencies for OpenSSL.(e.g. On Debian-like distros)
apt install build-essential make zlib1g-dev libxml2-dev
Then get the latest release of OpenSSL, verify the signature and compile it with the option enable-weak-ssl-ciphers
, if you want to regain the support of obsolete SSLv3 for the GOD D**N Microsoft IE6, enable-ssl3
andenable-ssl3-method
should also be append to the compile option.
Don't forgot the shared
flag or libssl.so
and libcrypto.so
won't be built, and use -Wl,-rpath=
to tell the linker(ld
) to link shared libraries in which directory.
wget https://www.openssl.org/source/openssl-1.0.2o.tar.gz
sha256sum openssl-1.0.2o.tar.gz
curl https://www.openssl.org/source/openssl-1.0.2o.tar.gz.sha256
tar -zxvf openssl-1.0.2o.tar.gz
cd openssl-1.0.2o/
./config --prefix=/opt/openssl-1.0.2 \
--openssldir=/etc/ssl \
shared enable-weak-ssl-ciphers \
-Wl,-rpath=/opt/openssl-1.0.2/lib
make
make install
After that, your custom version of OpenSSL will be installed into /opt/openssl-1.0.2
(rather than cover the version shipped with your OS).
Your applications may also have to be re-compiled, with these options to force the linker to link your custom version of OpenSSL libraries (Override the config from /etc/ld.so.conf
or PKGCONFIG
variable)
LDFLAGS="-L/opt/openssl-1.0.2/lib -lssl -lcrypto -Wl,-rpath=/opt/openssl-1.0.2/lib"
You can also try OpenSSL 1.1.0, since most of applications are now support the API of it.
Related videos on Youtube
Hardrain
Updated on September 18, 2022Comments
-
Hardrain over 1 year
OpenSSL 1.0.2k has removed 3DES ciphers in default which means some legacy browsers (e.g. IE8 on Windows XP) can no longer be supported.
According to OpenSSL official blog, to re-enable 3DES ciphers, we should add
enable-weak-ssl-ciphers
flag when compiling.So, how to cope with that? Any other flags required when compiling? Plus, Can I cover the Openssl installed by DPKG(Debian Package manage tool) with the self-compiled, 3DES-enabled version? If it's practicable, How to?
Thanks :-)