Enabling RC4 from command line tools in OpenSSL 3.1
146 views
Skip to first unread message
Ladd, Watson
Sep 6, 2024, 6:04:39 PM9/6/24
to openss...@openssl.org
Dear users,
I have been struggling to sort out what compile flags and arguments are required to get s_client from OpenSSL 3.1.7 to connect to a server with only RC4 enabled. I thought ./Configure enable-rc4 enable-weak-ssl-ciphers would be enough, and then ./openssl s_client -tls1 -cipher RC4. However this results in
Call to SSL_CONF_cmd(-cipher, RC4) failed
004CA1EE01000000:error:0A0000B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl/ssl_lib.c:2909
which surprises me.
What am I missing?
Sincerely,
Watson Ladd
Ladd, Watson
Sep 6, 2024, 6:56:49 PM9/6/24
to Dmitry Belyavsky, openss...@openssl.org
That was a very good idea, but sadly still doesn't work
DYLD_LIBRARY_PATH=`cd .. && pwd` ./openssl s_client -tls1 -cipher RC4 -provider-path /Users/wladd/code/openssl/providers/ -provider legacy
004CA1EE01000000:error:0A0000A1:SSL routines:SSL_CTX_new_ex:library has no ciphers:ssl/ssl_lib.c:3474
Suspect something went awry in configuring compiling that.
From: Dmitry Belyavsky <bel...@gmail.com>
Sent: Friday, September 6, 2024 11:25:46 AM
To: Ladd, Watson
Cc: openss...@openssl.org
Subject: Re: Enabling RC4 from command line tools in OpenSSL 3.1
Sent: Friday, September 6, 2024 11:25:46 AM
To: Ladd, Watson
Cc: openss...@openssl.org
Subject: Re: Enabling RC4 from command line tools in OpenSSL 3.1
!-------------------------------------------------------------------|
This Message Is From an Untrusted Sender
You have not previously corresponded with this sender.
|-------------------------------------------------------------------!
I think you should load the legacy provider. The default provider
doesn't implement RC4.
This Message Is From an Untrusted Sender
You have not previously corresponded with this sender.
|-------------------------------------------------------------------!
I think you should load the legacy provider. The default provider
doesn't implement RC4.
> --
> You received this message because you are subscribed to the Google Groups "openssl-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.
> To view this discussion on the web visit https://urldefense.com/v3/__https://groups.google.com/a/openssl.org/d/msgid/openssl-users/1ee7e3f49d3f45d8a303722cd4967c16*40akamai.com__;JQ!!GjvTz_vk!R5hKSU2uh2SDcVexUNOyYLTwaFFhgNo5xij19sbloiZEuvEJIUlJNcd609a4vU0Yr17jVeRbK5fB$ .
--
SY, Dmitry Belyavsky
> You received this message because you are subscribed to the Google Groups "openssl-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.
> To view this discussion on the web visit https://urldefense.com/v3/__https://groups.google.com/a/openssl.org/d/msgid/openssl-users/1ee7e3f49d3f45d8a303722cd4967c16*40akamai.com__;JQ!!GjvTz_vk!R5hKSU2uh2SDcVexUNOyYLTwaFFhgNo5xij19sbloiZEuvEJIUlJNcd609a4vU0Yr17jVeRbK5fB$ .
--
SY, Dmitry Belyavsky
Viktor Dukhovni
Sep 6, 2024, 7:40:05 PM9/6/24
to openss...@openssl.org
On Fri, Sep 06, 2024 at 06:56:41PM +0000, 'Ladd, Watson' via openssl-users wrote:
>
> That was a very good idea, but sadly still doesn't work
>
>
> DYLD_LIBRARY_PATH=`cd .. && pwd` ./openssl s_client -tls1 -cipher RC4 -provider-path /Users/wladd/code/openssl/providers/ -provider legacy
>
> 004CA1EE01000000:error:0A0000A1:SSL routines:SSL_CTX_new_ex:library has no ciphers:ssl/ssl_lib.c:3474
>
>
> Suspect something went awry in configuring compiling that.
You still need the default provider for the KEX and MAC algorithms, ...
>
> That was a very good idea, but sadly still doesn't work
>
>
> DYLD_LIBRARY_PATH=`cd .. && pwd` ./openssl s_client -tls1 -cipher RC4 -provider-path /Users/wladd/code/openssl/providers/ -provider legacy
>
> 004CA1EE01000000:error:0A0000A1:SSL routines:SSL_CTX_new_ex:library has no ciphers:ssl/ssl_lib.c:3474
>
>
> Suspect something went awry in configuring compiling that.
$ ./util/wrap.pl ./apps/openssl ciphers -tls1_2 -s -v -provider legacy RC4:@SECLEVEL=0
80BBAB49927F0000:error:0A0000A1:SSL routines:SSL_CTX_new_ex:library has no ciphers:ssl/ssl_lib.c:3977:
$ ./util/wrap.pl ./apps/openssl ciphers -tls1_2 -s -v -provider default -provider legacy RC4:@SECLEVEL=0
ECDHE-ECDSA-RC4-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=RC4(128) Mac=SHA1
ECDHE-RSA-RC4-SHA TLSv1 Kx=ECDH Au=RSA Enc=RC4(128) Mac=SHA1
AECDH-RC4-SHA TLSv1 Kx=ECDH Au=None Enc=RC4(128) Mac=SHA1
ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5
--
Viktor.
Ladd, Watson
Sep 6, 2024, 7:45:10 PM9/6/24
to Dmitry Belyavsky, openss...@openssl.org
A coworker suggested that earlier, still no luck. Has anyone gotten this to work?
From: Dmitry Belyavsky <bel...@gmail.com>
Sent: Friday, September 6, 2024 12:00:02 PM
Sent: Friday, September 6, 2024 12:00:02 PM
To: Ladd, Watson
Cc: openss...@openssl.org
Subject: Re: Enabling RC4 from command line tools in OpenSSL 3.1
!-------------------------------------------------------------------|
This Message Is From an Untrusted Sender
You have not previously corresponded with this sender.
|-------------------------------------------------------------------!
This Message Is From an Untrusted Sender
You have not previously corresponded with this sender.
|-------------------------------------------------------------------!
SECLEVEL=0?
--
SY, Dmitry Belyavsky
SY, Dmitry Belyavsky
Ladd, Watson
Sep 6, 2024, 7:48:32 PM9/6/24
to openss...@openssl.org
Thank you that worked.
From: openss...@openssl.org <openss...@openssl.org> on behalf of Viktor Dukhovni <openss...@dukhovni.org>
Sent: Friday, September 6, 2024 12:39:54 PM
To: openss...@openssl.org
Sent: Friday, September 6, 2024 12:39:54 PM
To: openss...@openssl.org
Subject: Re: Enabling RC4 from command line tools in OpenSSL 3.1
!-------------------------------------------------------------------|
This Message Is From an External Sender
This message came from outside your organization.
|-------------------------------------------------------------------!
This Message Is From an External Sender
This message came from outside your organization.
|-------------------------------------------------------------------!
--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.
Dmitry Belyavsky
Sep 9, 2024, 1:40:36 PM9/9/24
to Ladd, Watson, openss...@openssl.org
SECLEVEL=0?
--
SY, Dmitry Belyavsky
SY, Dmitry Belyavsky
Dmitry Belyavsky
Sep 9, 2024, 1:40:36 PM9/9/24
to Ladd, Watson, openss...@openssl.org
I think you should load the legacy provider. The default provider
doesn't implement RC4.
On Fri, Sep 6, 2024 at 8:04 PM 'Ladd, Watson' via openssl-users
<openss...@openssl.org> wrote:
>
doesn't implement RC4.
On Fri, Sep 6, 2024 at 8:04 PM 'Ladd, Watson' via openssl-users
<openss...@openssl.org> wrote:
>
> --
> You received this message because you are subscribed to the Google Groups "openssl-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.
> To view this discussion on the web visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/1ee7e3f49d3f45d8a303722cd4967c16%40akamai.com.
> You received this message because you are subscribed to the Google Groups "openssl-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to openssl-user...@openssl.org.
--
SY, Dmitry Belyavsky
Reply all
Reply to author
Forward
0 new messages