OpenSSL 1.1.1e RC4-MD5 cipher not getting selected for TLS v1.2

Question

i have been facing this issue where i cant send RC4-MD5 cipher in Client hello tls protocol layer. my current code uses curl SSL CTX CALLBACK.

you can see my code below....nothing fancy here but the last cipher does not go in the client hello my tls protocols are http1.0, tlsv1.2, i compiled openssl with option for weak ciphers(and it works for DES cipher)

 CURLcode sslctxfun(CURL *curl, void *sslctx, void *parm)
{
  sslctxparm *p = (sslctxparm *) parm;
  SSL_CTX *ctx = (SSL_CTX *) sslctx;

  int ret;
  SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION);
  SSL_CTX_set_min_proto_version(ctx, TLS1_2_VERSION);
  ret=SSL_CTX_set_cipher_list(ctx, "AES256-SHA256,AES128-SHA256,AES256-SHA,AES128-SHA,DES-CBC3-SHA,RC4-SHA,RC4-MD5");
.....
  SSL_CTX_set_options(ctx, SSL_OP_ALL);
  SSL_CTX_set_options(ctx, SSL_OP_NO_TICKET);
  SSL_CTX_set_options(ctx, SSL_OP_NO_ENCRYPT_THEN_MAC);
  SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
  SSL_CTX_set_options(ctx,SSL_OP_NO_RENEGOTIATION);
  SSL_CTX_set_options(ctx, SSL_OP_TLS_ROLLBACK_BUG );
  SSL_CTX_set_options(ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS );
  SSL_CTX_set_options(ctx, SSL_OP_NO_COMPRESSION );
  SSL_CTX_set_options(ctx, SSL_OP_LEGACY_SERVER_CONNECT );
  SSL_CONF_CTX *cctx;
  cctx = SSL_CONF_CTX_new();
  SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE);
  SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
  ret=SSL_CONF_cmd(cctx, "SignatureAlgorithms", "RSA+SHA256:RSA+SHA512:RSA+SHA384:RSA+SHA1");
....
}

This code is not complete. Are you running as the server or the client? Does the peer you're connecting to support RC4-MD5 ciphers? — Andrew Henle, Apr 01 '20 at 18:43
I’m a client. The server expects a 1-1 packet of client hello. In which client hello should respond that rc4-md5 is supported by client and ssl3/tls standards do acknowledge that. The rest of the code which is url and post data is handled by libcurl. A simple look at the packet shows me that rc4-md5 is not being sent as supported cipher by client(me) — habib, Apr 01 '20 at 21:35

score 1 · Answer 1 · answered Apr 01 '20 at 22:45

That ciphersuite is not available in the default OpenSSL security level (which is level 1). You need to instruct it to use security level 0. One way to do that is to add ,@SECLEVEL=0 onto the end of your ciphersuite list:

ret=SSL_CTX_set_cipher_list(ctx, "AES256-SHA256,AES128-SHA256,AES256-SHA,AES128-SHA,DES-CBC3-SHA,RC4-SHA,RC4-MD5,@SECLEVEL=0");

Alternatively you can set it using SSL_CTX_set_security_level(). See the man page for a description of the levels:

https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html

This sounds like the topic of a separate question! – Matt Caswell Apr 02 '20 at 08:34 — Matt Caswell, Apr 02 '20 at 08:34

OpenSSL 1.1.1e RC4-MD5 cipher not getting selected for TLS v1.2

1 Answers1