Search code examples
csslopenssllegacy

Coding/configuring an OpenSSL server for maximum compatibility

I am coding an SSL server in C + OpenSSL. This is pretty straightforward, and there are lots of examples to follow.

However, I need to interoperate with a broad range of legacy clients, some of which are really old, and have a variety of bugs which prevent SSL negotiation from working. Reaching the users of these clients to have them upgrade is impractical at best.

SSL_CTX_set_options(ctx, SSL_OP_ALL);

... helps, but there are still clients that can't establish an SSL connection.

What other measures can I take to make OpenSSL as interoperable as possible?

(An example problematic client is Kermit95 on Windows -- compiled in 2003, I believe, with a libssleay.dll in the install directory. Although the Kermit95 source is free now, even the maintainer doesn't know how to build it on Windows!)

Solution

  • There are a number of things I know of that increase the interoperability of openSSL.

    1. Use "ALL" or maybe "ALL:EXPORT:LOW". I haven't checked if ALL really does mean ALL.
    2. There is a compile-time option to re-enable EXPORT56 ciphers in openSSL. You will have to set TLS1_ALLOW_EXPERIMENTAL_CIPHERSUITES to 1 in ssl/tls1.h. By default they are disabled
    3. Some binary distributions including RedHat's leave out any ciphers that have patent issues.
    4. The experimental ciphers are likely to require a 512 bit RSA key. See sample code here: http://www.openssl.org/docs/ssl/SSL_CTX_set_tmp_rsa_callback.html

    Basic answer - compile your own openSSL!