How to enable 3DES SSL Ciphers for OpenSSL 1.0.2k

ubuntu debian ssl openssl
8,208

Since I haven't got any helpful answer to solve that issue, I'd like to share what I've done on it.

First you should get the tools for building software and the dependencies for OpenSSL.(e.g. On Debian-like distros)

apt install build-essential make zlib1g-dev libxml2-dev

Then get the latest release of OpenSSL, verify the signature and compile it with the option enable-weak-ssl-ciphers, if you want to regain the support of obsolete SSLv3 for the GOD D**N Microsoft IE6, enable-ssl3andenable-ssl3-methodshould also be append to the compile option.

Don't forgot the shared flag or libssl.so and libcrypto.so won't be built, and use -Wl,-rpath= to tell the linker(ld) to link shared libraries in which directory.

wget https://www.openssl.org/source/openssl-1.0.2o.tar.gz
sha256sum openssl-1.0.2o.tar.gz
curl https://www.openssl.org/source/openssl-1.0.2o.tar.gz.sha256

tar -zxvf openssl-1.0.2o.tar.gz
cd openssl-1.0.2o/

./config --prefix=/opt/openssl-1.0.2 \
--openssldir=/etc/ssl \
shared enable-weak-ssl-ciphers \
-Wl,-rpath=/opt/openssl-1.0.2/lib

make
make install

After that, your custom version of OpenSSL will be installed into /opt/openssl-1.0.2 (rather than cover the version shipped with your OS).

Your applications may also have to be re-compiled, with these options to force the linker to link your custom version of OpenSSL libraries (Override the config from /etc/ld.so.conf or PKGCONFIG variable)

LDFLAGS="-L/opt/openssl-1.0.2/lib -lssl -lcrypto -Wl,-rpath=/opt/openssl-1.0.2/lib"

You can also try OpenSSL 1.1.0, since most of applications are now support the API of it.

Share:
8,208

Related videos on Youtube

Hardrain
Author by

Hardrain

Updated on September 18, 2022

Comments

  • Hardrain
    Hardrain over 1 year

    OpenSSL 1.0.2k has removed 3DES ciphers in default which means some legacy browsers (e.g. IE8 on Windows XP) can no longer be supported.

    According to OpenSSL official blog, to re-enable 3DES ciphers, we should add enable-weak-ssl-ciphers flag when compiling.

    So, how to cope with that? Any other flags required when compiling? Plus, Can I cover the Openssl installed by DPKG(Debian Package manage tool) with the self-compiled, 3DES-enabled version? If it's practicable, How to?

    Thanks :-)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Best location to keep SSL certificates and private keys on Ubuntu servers?
/usr/local/ssl/lib/libcrypto.a: could not read symbols: Bad value
openssl s_client hangs
openssl-1.0.1e compiling on Debian
How can I get Chrome accepting self signed certificates?
Unable to load certificate in openssl
How to make wget trust my self signed certificate (without using --no-check-certificate)?
Ubuntu 11.10, using wget/curl fails with ssl
Is it possible to use SSL without a domain name?
How to self-sign an SSL certificate for a specific domain?