How do I enable weak ciphers for backwards compatibility?

  2 minute read  

Question: How do I enable weak ciphers used for backwards compatibility?

Answer: To enable or disable weak cipher suite(s), signature algorithms (with SHA-1 and MD5), define the following build flags and run time settings.

Build flags

Define the following build flags:

  1. RSA Key Size
    • MIN_SSL_RSA_SIZE: Defaults to 2048. Define the following macro in the build environment to redefine the minimum key size allowed.
    • -DMIN_SSL_RSA_SIZE=1024
  2. Cipher Suite Negotiation
    • __DISABLE_MOCANA_SSL_WEAK_CIPHERS__: Disables SHA-1 & MD5 cipher suites during SSL cipher negotiation.
    • __DISABLE_MOCANA_NULL_MD5_CIPHER__: Enables SHA-1 and disables MD5 cipher suites during SSL cipher negotiation.
  3. Signature Algorithms
    • __ENABLE_MOCANA_TLS12_UNSECURE_HASH__: Enables use of SHA-1 for signing.
    • __ENABLE_MOCANA_TLS12_UNSECURE_HASH__ and __ENABLE_MOCANA_SSL_MD5__: Enables use of SHA-1 and MD5 for signing.

Runtime settings

The following run time settings may also be configured:

  • RSA Key Size: To set the RSA key size at run time, use the following API to allow applications to set the key size to 1024, 2048, 3076, 4098 at run time:
    sbyte4 SSL_setMinRSAKeySize(ubyte4 <keysize>)
  • Cipher Suites: To enable or disable the SHA-1 cipher suites from the application at run time (when built without the __DISABLE_MOCANA_SSL_WEAK_CIPHERS__ flag), invoke the following setting after SSL_enableCiphers:
    sbyte4 SSL_disableCipherHashAlgorithm(sbyte4 connInstance, ubyte<hashId>)
    Where <hashID> may be one of the following values:
    • 0: (TLS_NONE) Enables support for MD5, SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512 hash algorithms.
    • 1: (TLS_MD5) Disables the cipher suites that have hash algorithms equal to or weaker than MD5.
    • 2: (TLS_SHA1) Disables the cipher suites that have hash algorithms equal to or weaker than SHA-1.
    • 3: (TLS_SHA224) Disables the cipher suites that have hash algorithms equal to or weaker than SHA-224.
    • 4: (TLS_SHA256) Disables the cipher suites that have hash algorithms equal to or weaker than SHA-256.
    • 5: (TLS_SHA384) Disables the cipher suites that have hash algorithms equal to or weaker than SHA-384.
    • 6: (TLS_SHA512) Disables the cipher suites that have hash algorithms equal to or weaker than SHA-512.