How do I enable weak ciphers for backwards compatibility?
Question: How do I enable weak ciphers used for backwards compatibility?
Answer: To enable or disable weak cipher suite(s), signature algorithms (with SHA-1 and MD5), define the following build flags and run time settings.
Build flags
Define the following build flags:
RSA Key Size
MIN_SSL_RSA_SIZE
: Defaults to 2048. Define the following macro in the build environment to redefine the minimum key size allowed.-DMIN_SSL_RSA_SIZE=1024
Cipher Suite Negotiation
__DISABLE_MOCANA_SSL_WEAK_CIPHERS__
: Disables SHA-1 & MD5 cipher suites during SSL cipher negotiation.__DISABLE_MOCANA_NULL_MD5_CIPHER__
: Enables SHA-1 and disables MD5 cipher suites during SSL cipher negotiation.
Signature Algorithms
__ENABLE_MOCANA_TLS12_UNSECURE_HASH__
: Enables use of SHA-1 for signing.__ENABLE_MOCANA_TLS12_UNSECURE_HASH__
and__ENABLE_MOCANA_SSL_MD5__
: Enables use of SHA-1 and MD5 for signing.
Runtime settings
The following run time settings may also be configured:
RSA Key Size: To set the RSA key size at run time, use the following API to allow applications to set the key size to 1024, 2048, 3076, 4098 at run time:
sbyte4 SSL_setMinRSAKeySize(ubyte4 <keysize>)
Cipher Suites: To enable or disable the SHA-1 cipher suites from the application at run time (when built without the
__DISABLE_MOCANA_SSL_WEAK_CIPHERS__
flag), invoke the following setting afterSSL_enableCiphers
:sbyte4 SSL_disableCipherHashAlgorithm(sbyte4 connInstance, ubyte<hashId>)
Where
<hashID>
may be one of the following values:0: (
TLS_NONE
) Enables support for MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 hash algorithms.1: (
TLS_MD5
) Disables the cipher suites that have hash algorithms equal to or weaker than MD5.2: (
TLS_SHA1
) Disables the cipher suites that have hash algorithms equal to or weaker than SHA-1.3: (
TLS_SHA224
) Disables the cipher suites that have hash algorithms equal to or weaker than SHA-224.4: (
TLS_SHA256
) Disables the cipher suites that have hash algorithms equal to or weaker than SHA-256.5: (
TLS_SHA384
) Disables the cipher suites that have hash algorithms equal to or weaker than SHA-384.6: (
TLS_SHA512
) Disables the cipher suites that have hash algorithms equal to or weaker than SHA-512.