[Pkg-openssl-devel] Bug#872335: Bug#872335: openssl: DES-CBC3-SHA not usable
Kurt Roeckx
kurt at roeckx.be
Wed Aug 16 17:13:44 UTC 2017
On Wed, Aug 16, 2017 at 02:31:48PM +0200, Simon Lipp wrote:
> Package: openssl
> Version: 1.1.0f-3
> Severity: normal
>
> Dear Maintainer,
>
> After upgrading to stretch, one of our client complained that he
> couldn’t access to one of our website with Internet Explorer 8 on
> Windows XP.
>
> After investigation, it looks like that the cipher recommended by
> Mozilla (using https://mozilla.github.io/server-side-tls/ssl-config-generator/)
> for IE8 compatibility, DES-CBC3-SHA, despite being enabled in
> /etc/nginx/nginx.conf, is not present in the ciphers recognized by our
> server (TLS_RSA_WITH_3DES_EDE_CBC_SHA not present in nmap localhost -p 443
> --script=ssl-enum-ciphers)
>
> It ss also absent from openssl ciphers -V ALL:COMPLEMENTOFALL. A quick
> glance on this list show that there is no cipher compatible with IE8
> (https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=8&platform=XP&key=101)
>
> The cipher is still present in the ciphers(1ssl) manpage.
That cipher has been disabled by default because of the sweet32
attack. There are no ciphers enabled anymore that can talk to IE
on windows XP.
Kurt
More information about the Pkg-openssl-devel
mailing list