[Pkg-openssl-devel] Bug#872335: openssl: DES-CBC3-SHA not usable
Simon Lipp
simon.lipp at loyaltycompany.com
Wed Aug 16 12:31:48 UTC 2017
Package: openssl
Version: 1.1.0f-3
Severity: normal
Dear Maintainer,
After upgrading to stretch, one of our client complained that he
couldn’t access to one of our website with Internet Explorer 8 on
Windows XP.
After investigation, it looks like that the cipher recommended by
Mozilla (using https://mozilla.github.io/server-side-tls/ssl-config-generator/)
for IE8 compatibility, DES-CBC3-SHA, despite being enabled in
/etc/nginx/nginx.conf, is not present in the ciphers recognized by our
server (TLS_RSA_WITH_3DES_EDE_CBC_SHA not present in nmap localhost -p 443
--script=ssl-enum-ciphers)
It ss also absent from openssl ciphers -V ALL:COMPLEMENTOFALL. A quick
glance on this list show that there is no cipher compatible with IE8
(https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=8&platform=XP&key=101)
The cipher is still present in the ciphers(1ssl) manpage.
-- System Information:
Debian Release: 9.1
APT prefers stable
APT policy: (990, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages openssl depends on:
ii libc6 2.24-11+deb9u1
ii libssl1.1 1.1.0f-3
openssl recommends no packages.
Versions of packages openssl suggests:
ii ca-certificates 20161130+nmu1
-- no debconf information
More information about the Pkg-openssl-devel
mailing list