Skip to main content

How do I enable weak ciphers for backwards compatibility?

Question: How do I enable weak ciphers used for backwards compatibility?

Answer: To enable or disable weak cipher suite(s), signature algorithms (with SHA-1 and MD5), define the following build flags and run time settings.

Build flags

Define the following build flags:

  1. RSA Key Size

    • MIN_SSL_RSA_SIZE: Defaults to 2048. Define the following macro in the build environment to redefine the minimum key size allowed.

    • -DMIN_SSL_RSA_SIZE=1024

  2. Cipher Suite Negotiation

    • __DISABLE_MOCANA_SSL_WEAK_CIPHERS__: Disables SHA-1 & MD5 cipher suites during SSL cipher negotiation.

    • __DISABLE_MOCANA_NULL_MD5_CIPHER__: Enables SHA-1 and disables MD5 cipher suites during SSL cipher negotiation.

  3. Signature Algorithms

    • __ENABLE_MOCANA_TLS12_UNSECURE_HASH__: Enables use of SHA-1 for signing.

    • __ENABLE_MOCANA_TLS12_UNSECURE_HASH__ and __ENABLE_MOCANA_SSL_MD5__: Enables use of SHA-1 and MD5 for signing.

Runtime settings

The following run time settings may also be configured:

  • RSA Key Size: To set the RSA key size at run time, use the following API to allow applications to set the key size to 1024, 2048, 3076, 4098 at run time:

    sbyte4 SSL_setMinRSAKeySize(ubyte4 <keysize>)

  • Cipher Suites: To enable or disable the SHA-1 cipher suites from the application at run time (when built without the __DISABLE_MOCANA_SSL_WEAK_CIPHERS__ flag), invoke the following setting after SSL_enableCiphers:

    sbyte4 SSL_disableCipherHashAlgorithm(sbyte4 connInstance, ubyte<hashId>)

    Where <hashID> may be one of the following values:

    • 0: (TLS_NONE) Enables support for MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 hash algorithms.

    • 1: (TLS_MD5) Disables the cipher suites that have hash algorithms equal to or weaker than MD5.

    • 2: (TLS_SHA1) Disables the cipher suites that have hash algorithms equal to or weaker than SHA-1.

    • 3: (TLS_SHA224) Disables the cipher suites that have hash algorithms equal to or weaker than SHA-224.

    • 4: (TLS_SHA256) Disables the cipher suites that have hash algorithms equal to or weaker than SHA-256.

    • 5: (TLS_SHA384) Disables the cipher suites that have hash algorithms equal to or weaker than SHA-384.

    • 6: (TLS_SHA512) Disables the cipher suites that have hash algorithms equal to or weaker than SHA-512.

In this section: