Adding an old cipher into the system

daol · December 17, 2024, 3:23pm

Hello.

I can’t add RC4 and 3DES into Rocky 9.5 .

I changed the level of crypto policy to LEGACY.
I tried to make a module .pmod with such a content:

cipher@TLS = +RC4-* +DES-*
cipher = +RC4-* +DES-*

I tried to apply this module.
3. I tried to build my own policy by copying LEGACY and adding these algorithms into it.

All the same, when I test my server (postfix) with some software,
like testssl.sh, for example, I can’t see that these two algorithms were added to my system.

(
Of course, I made a setting (for testing) in Postfix’s main.conf

smtpd_tls_protocols = SSLv3, TLSv1
)

In the same time while checking the presence of old crypto algorithms,
I see the list of old algorithms and don’t see RC4 and 3DES among them.)

May be somebody knows how to do it, because there are no detailed descriptions how to do it in the internet.

hs303 · December 17, 2024, 4:16pm

I am not sure here, but maybe try exploring this file:

[jp@rocky-wsl ~]$ cat /usr/share/crypto-policies/LEGACY/openssl.txt
@SECLEVEL=2:kEECDH:kRSA:kEDH:kPSK:kDHEPSK:kECDHEPSK:kRSAPSK:-aDSS:-3DES:!DES:!RC4:!RC2:!IDEA:-SEED:!eNULL:!aNULL:!MD5:-SHA384:-CAMELLIA:-ARIA:-AESCCM8

According to man 7 crypto-policies:

/usr/share/crypto-policies/<‘POLICYNAME’>
Pre-generated back-end configurations for policy POLICYNAME.

/etc/crypto-policies/local.d
Additional configuration shipped by other packages or created by the system administrator. The contents of the -file.config is appended to the configuration from the policy back end
as shipped in the crypto-policies package.

It seems to me like your ciphers are disabled by default in the LEGACY policy as well and you need to create local config files to overwrite this.

daol · December 17, 2024, 7:46pm

Thank you for the answer.
I think, that those ciphers are absent in my openssl library (I have checked recently), that is why even if I configure it, it won’t work.

iwalker · December 17, 2024, 7:52pm

There’s a reason that the older ciphers have been removed - because they are unsecure and therefore shouldn’t be used.

What you should really be doing is moving any old systems that are trying to communicate using RC4/3DES to newer and more secure ciphers.

Ritov · December 18, 2024, 1:05pm

@daol you need also to “reenable” the protocols < TLSv1.2

daol · December 18, 2024, 9:36pm

In Postfix config main.cf ?
I did it. The result was the same.
This is the matter of openssl version. I understood it.

Ritov · December 18, 2024, 11:44pm

No, via a custom crypto-policies/local.d config…

daol · December 19, 2024, 12:24am

I wrote in the beginning, that I
“3. I tried to build my own policy by copying LEGACY and adding these algorithms into it.”
I also added TLS 1.0 into this policy.

All these I did because I have been configuring a Postfix relay for an old multipart proprietary mail system with old ssl protocols, like ssl3, tls1, as a temporary solution.

Ritov · December 19, 2024, 7:42pm

Its not clearly stated that this protocols were included. Show us the complete output of your policy configuration …

daol · December 20, 2024, 9:30pm

Thank you for the answer.
I reinstalled OS and chose not modern system, but CentOS 7,
where OpenSSL library is older. We have already configured another one host with this distribution and got the necessary type of encryption algorithm.
By erasing the new system, I erased the configs for encryption policy.