OpenSSL - Selecting Ciphers

jpetter
jpetter used Ask the Experts™
on
Hi,
I've been banging my head against my desk far too long on this, and couldn't figure anything out, so hence my question.

When using OpenSSL, how can I disable certain ciphers, disable certain versions (SSLv2), and perhaps how to enable only certain ciphers? In the 'Network Security with OpenSSL' book, it states that SSL will usually use the first cipher in a list to make the connection with. When I run 'openssl ciphers -v' I get a long unordered list of ciphers. When I make a connection using something like: 'openssl s_client -connect host:port, in the output I can see that I am connecting with DES_CBC3-SHA. If I then "think" I am setting the cipher list by issuing a command like this: "openssl ciphers -v 'SSLv3+HIGH:TLSv1+HIGH:!SSLv2:!aNULL:!eNULL:@STRENGTH'" , and then try the connect command again, I can see I am using the same cipher.

The driving force for this is that I need to remediate a number of hosts that were flagged during a recent vulnerability scan with findings similar to 'SSL Medium Cipher Suite Supported", or "SSL v2 Detected", and "SSL Weak Cipher Suite Supported". I have a list of specific ciphers that the scanner didn't like, and would like to disable those. Is that possible with OpenSSL? I thought it might be kept in the openssl.cnf file, but that seems to be more related to issuing certificates. I would like to know: how to enable/disable specific ciphers so that only those selected/enabled will be used, and how to disable SSLv2.

I would tremendously appreciate any help on this.

Thanks,
Jeff
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Distinguished Expert 2017

Commented:
openssl ciphers -v displays the options not sets prmananetnly

If you are using connect, you would define the available ciphers on the same line.

You could also configure OpenSSL openssl.conf

http://www.mkssoftware.com/docs/man1/openssl_ciphers.1.asp

Using -ssl2 -ssl3 or -tls1 might be an option.

Are you testing something or is it a permanent implementation for something.

Usually one limits ciphers/connection on the server end while the client connecting in has the broadest set of options.

Author

Commented:
Thank you Arnold! These changes will become permanent. The scanner is picking up all enabled ciphers <= 56 bits and calling them either weak or medium. To get by the scan, I need to "disable" them.
Distinguished Expert 2017

Commented:
What is being scanned? An ssl web server, mail server, pop, imap servers?
11/26 Forrester Webinar: Savings for Enterprise

How can your organization benefit from savings just by replacing your legacy backup solutions with Acronis' #CyberProtection? Join Forrester's Joe Branca and Ryan Davis from Acronis live as they explain how you can too.

Author

Commented:
There are over 100 servers on that scan request, and most are either web, app, or db servers.

Thanks,
Jeff
Distinguished Expert 2017

Commented:
Depending on the options for each service, you might be able to restrict limit which cipher connections are available for negotiation.

Author

Commented:
Thanks again arnold. Can I infer then from this response that the cipher list is really determined at the application level - the app using SSL - as opposed to the installation/configuration of SSL on the server?
Distinguished Expert 2017
Commented:
I think you can within OpenSSL.conf configure the limitation or configure the limitation at compilation.
For apache web server
http://httpd.apache.org/docs/2.0/ssl/ssl_howto.html

Different applications have their own configuration settings example
http://www.skytale.net/blog/archives/22-SSL-cipher-settings.html

Note that some applications rely on the installed OpenSSL, some my have been static ally compiled with ssl libraries.

Author

Commented:
Thank you very much for the help. I think I have enough to get started with. If I run into another wall, I'll post another question.

Thanks again for the prompt responses.

Author

Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for jpetter's comment #37999415

for the following reason:

Answers were directly relevant to my questions, easy to understand, and the response time was excellent.
Distinguished Expert 2017

Commented:
You chose your own answer as the solution to the question, is that your intent?

Author

Commented:
No, not at all. I thought I clicked Accept as Solution on your last post. I'll try it again.
Distinguished Expert 2017

Commented:
You acknowledge that the posts I made helped you and clarified your issues, yet you choose the comment stating that as the solution.

Author

Commented:
Answers were directly relevant to my questions, easy to understand, and the response time was excellent.

Author

Commented:
That was not my intent at all....I just went in again and selected your last response, and I see it posted my comment from the "grading" as a comment under the question...not sure what's going on.

Author

Commented:
Now it does look like it correctly acknowledged your comment as the correct answer. Thanks.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial