disable weak ciphers in SSL connection

I am using the function SSL_CTX_set_cipher_list to set the ciphers supported for the SSL connection. What argument to pass to SSL_CTX_set_cipher_list to disable weak ciphers.

I tried passing ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH

but it doesn't seem to work.开发者_高级运维

My tool to detect weak cipher reports for the following as enabled still

** SSLv3:DES-CBC-SHA - ENABLED - WEAK 56 bits **

** TLSv1:DES-CBC-SHA - ENABLED - WEAK 56 bits **

** SSLv2:RC4-MD5 - ENABLED - WEAK 128 bits **
** SSLv2:RC2-CBC-MD5 - ENABLED - WEAK 128 bits **
** SSLv2:RC4-64-MD5 - ENABLED - WEAK 64 bits **
** SSLv2:DES-CBC-MD5 - ENABLED - WEAK 56 bits **
** SSLv2:EXP-RC4-MD5 - ENABLED - WEAK 40 bits **
** SSLv2:EXP-RC2-CBC-MD5 - ENABLED - WEAK 40 bits **
** SSLv2:DES-CBC3-MD5 - ENABLED - WEAK 168 bits **

What argument to pass to SSL_CTX_set_cipher_list to disable the above ciphers?

---

HIGH:!DSS:!aNULL@STRENGTH should work.

openssl ciphers -v 'HIGH:!DSS:!aNULL@STRENGTH' prints the following list of ciphers:

DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

For a complete list of OpenSSL cipher strings and their meaning take a look at: http://www.openssl.org/docs/apps/ciphers.html

---

What argument to pass to SSL_CTX_set_cipher_list to disable weak ciphers

It depends upon who's defintion of weak you are using. In 2015, you have to bump from effectively HIGH:!aNULL because modern browsers reject some of the ciphers included with HIGH. If you allow MD5 and/or RC4, then you get the obsolete cryptography warning.

HIGH:!aNULL:!MD5:!RC4

The call would look like so:

rc = SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!MD5:!RC4");
ASSERT(rc >= 1);

You should also disable SSLv2, SSLv3 and probably compression. You do it like so:

const long flags = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION;
SSL_CTX_set_options(ctx, flags);

SSL_CTX_set_options does not return a value, so there's nothing to test to ensure the call succeeds.