troubleshooting Question

OpenSSL - Selecting Ciphers

Avatar of jpetter
jpetter asked on
SecurityVulnerabilitiesEncryption
15 Comments1 Solution4200 ViewsLast Modified:
Hi,
I've been banging my head against my desk far too long on this, and couldn't figure anything out, so hence my question.

When using OpenSSL, how can I disable certain ciphers, disable certain versions (SSLv2), and perhaps how to enable only certain ciphers? In the 'Network Security with OpenSSL' book, it states that SSL will usually use the first cipher in a list to make the connection with. When I run 'openssl ciphers -v' I get a long unordered list of ciphers. When I make a connection using something like: 'openssl s_client -connect host:port, in the output I can see that I am connecting with DES_CBC3-SHA. If I then "think" I am setting the cipher list by issuing a command like this: "openssl ciphers -v 'SSLv3+HIGH:TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:@STRENGTH'" , and then try the connect command again, I can see I am using the same cipher.

The driving force for this is that I need to remediate a number of hosts that were flagged during a recent vulnerability scan with findings similar to 'SSL Medium Cipher Suite Supported", or "SSL v2 Detected", and "SSL Weak Cipher Suite Supported". I have a list of specific ciphers that the scanner didn't like, and would like to disable those. Is that possible with OpenSSL? I thought it might be kept in the openssl.cnf file, but that seems to be more related to issuing certificates. I would like to know: how to enable/disable specific ciphers so that only those selected/enabled will be used, and how to disable SSLv2.

I would tremendously appreciate any help on this.

Thanks,
Jeff
ASKER CERTIFIED SOLUTION
Join our community to see this answer!
Unlock 1 Answer and 15 Comments.
Start Free Trial
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 15 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros