Search code examples
windowsencryptionopensslproviderlegacy

OpenSSL - Loading legacy ciphers failed

I am using OpenSSL on Windows, and trying to simply assess if a remote server has old ciphers (RC4) enabled.

My current OpenSSL version is v3.0.8. I actually already found some help here How to enable the OpenSSL 3.0 legacy provider Github Actions? but it is not enough in my case. Note that I am not compiling anything, just trying to use the regular installed Win64-OpenSSL with legacy provider.

I've already modified my OpenSSL configuration file to add and activate the legacy provider. I've also configured the OPENSSL_MODULES environment variable to find the legacy dll (in its default post-install location, under C:\Program Files\OpenSSL-Win64\bin).

Thanks to that, I can actually run this :

>openssl list -providers -provider legacy

Providers:
  legacy
    name: OpenSSL Legacy Provider
    version: 3.0.8
    status: active

But it seems to be an "empty box" when I run :

>openssl ciphers -provider legacy -v

6C1F0000:error:0A0000A1:SSL routines:SSL_CTX_new_ex:library has no ciphers:ssl\ssl_lib.c:3290:

And I get the same error when trying to connect to my remote server.

Would anyone have some help ? :)

Solution

  • For people having the same issue : I actually had to build my own OpenSSL version, adding just a flag to "enable-weak-ssl-ciphers" during the build. The step-by-step would be like :

    • Download OpenSSL sources from their website
    • Download & install Visual Studio (when installing, select only the Desktop Development with C++ package, no other package is needed)
    • Download & install Srawberry Perl + NASM for Windows
    • Add the NASM folder to your Path environment variable (then check that it works by running "nasm -v" in a cmd prompt)
    • With any text editor, open the "openssl.cnf" file from the extracted OpenSSL sources folder and add the following lines : OpenSSL conf file modification
    • Launch as admin the "x64 Native Tools Command Prompt" from Windows menu > Visual Studio folder
    • With cd, get to the OpenSSL sources folder
    • Run perl configure VC-WIN64 enable-weak-ssl-ciphers --prefix="C:\Program Files\OpenSSL-Win64 (the last path is where OpenSSL will be later installed, can be anything)
    • Then run nmake : this can take a while (15-30min I'd say)
    • Then run nmake install

    And you're done :)

    I got my answer directly on the OpenSSL GitHub page : https://github.com/openssl/openssl/issues/20526

    And to build my own OpenSSL I followed this excellent step-by-step guide : https://developers.refinitiv.com/en/article-catalog/article/how-to-build-openssl--zlib--and-curl-libraries-on-windows