2

I am using OpenSSL on Windows, and trying to simply assess if a remote server has old ciphers (RC4) enabled.

My current OpenSSL version is v3.0.8. I actually already found some help here How to enable the OpenSSL 3.0 legacy provider Github Actions? but it is not enough in my case. Note that I am not compiling anything, just trying to use the regular installed Win64-OpenSSL with legacy provider.

I've already modified my OpenSSL configuration file to add and activate the legacy provider. I've also configured the OPENSSL_MODULES environment variable to find the legacy dll (in its default post-install location, under C:\Program Files\OpenSSL-Win64\bin).

Thanks to that, I can actually run this :

>openssl list -providers -provider legacy

Providers:
  legacy
    name: OpenSSL Legacy Provider
    version: 3.0.8
    status: active

But it seems to be an "empty box" when I run :

>openssl ciphers -provider legacy -v

6C1F0000:error:0A0000A1:SSL routines:SSL_CTX_new_ex:library has no ciphers:ssl\ssl_lib.c:3290:

And I get the same error when trying to connect to my remote server.

Would anyone have some help ? :)

Seril
  • 31
  • 6

1 Answers1

1

For people having the same issue : I actually had to build my own OpenSSL version, adding just a flag to "enable-weak-ssl-ciphers" during the build. The step-by-step would be like :

  • Download OpenSSL sources from their website
  • Download & install Visual Studio (when installing, select only the Desktop Development with C++ package, no other package is needed)
  • Download & install Srawberry Perl + NASM for Windows
  • Add the NASM folder to your Path environment variable (then check that it works by running "nasm -v" in a cmd prompt)
  • With any text editor, open the "openssl.cnf" file from the extracted OpenSSL sources folder and add the following lines : OpenSSL conf file modification
  • Launch as admin the "x64 Native Tools Command Prompt" from Windows menu > Visual Studio folder
  • With cd, get to the OpenSSL sources folder
  • Run perl configure VC-WIN64 enable-weak-ssl-ciphers --prefix="C:\Program Files\OpenSSL-Win64 (the last path is where OpenSSL will be later installed, can be anything)
  • Then run nmake : this can take a while (15-30min I'd say)
  • Then run nmake install

And you're done :)

I got my answer directly on the OpenSSL GitHub page : https://github.com/openssl/openssl/issues/20526

And to build my own OpenSSL I followed this excellent step-by-step guide : https://developers.refinitiv.com/en/article-catalog/article/how-to-build-openssl--zlib--and-curl-libraries-on-windows

Seril
  • 31
  • 6
  • Hi, thanks for answering. In the interest of the longevity of the usefulness of the answer, please consider adding some specifics to your answer, so that when (not IF!) these links no longer work, your answer is still helpful to others. – Mmm Mar 23 '23 at 21:08
  • Hi, you're right, I just added the step-by-step – Seril Mar 30 '23 at 06:30