Inspired by https://github.com/openssl/web/pull/37 by Ben Kaduk
There is good reason why these have been disabled by default. Consider upgrading
to more robust options as these ciphers may only provide a facade of security.
This option is not recommended for anyone other than maintainers of legacy
There is good reason why these have been disabled by default. Consider upgrading
to more robust options as these ciphers may only provide a facade of security.
This option is not recommended for anyone other than maintainers of legacy
+applications. There are two parts to doing this. First, you must configure
+with "enable-weak-ssl-ciphers." This compiles the ciphers, but does not
+enable them at run-time; to do this you must set the "security level" flag.
+This can be done at build time to change the default, or it can be done at
+runtime to change it for particular SSL_CTX; see
+@@@https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_security_level.html@@@
+for details.
-You must set the weak ciphers flag and override the default SECLEVEL with:
+In other words, you should do one of the following:
<PRE>
./config enable-weak-ssl-ciphers -DOPENSSL_TLS_SECURITY_LEVEL=0
</PRE>
<PRE>
./config enable-weak-ssl-ciphers -DOPENSSL_TLS_SECURITY_LEVEL=0
</PRE>
-Then follow compilation/install procedure like normal...
+or
+
+<PRE>
+ # To configure and build
+ ./config enable-weak-ssl-ciphers
+
+ /* In your code */
+ SSL_CTX_set_security_level(ctx, 0);
+</PRE>