# security/openssl111 - make.conf options



## Mayhem30 (Jan 6, 2019)

Is it possible to add the "enable-weak-ssl-ciphers" option in the /etc/make.conf file for security/openssl111 ?


----------



## Mayhem30 (Jan 7, 2019)

Is it not possible?

I would hate to have to modify the /usr/ports/security/openssl111/Makefile directly each time.


----------



## SirDice (Jan 7, 2019)

Any specific cipher you're looking for?


----------



## Mayhem30 (Jan 7, 2019)

Yes, I would like to enable : TLS_RSA_WITH_3DES_EDE_CBC_SHA (DES-CBC3-SHA)


----------



## SirDice (Jan 7, 2019)

As far as I know DES (not 3DES) has been completely removed since 1.1.0.


----------



## Mayhem30 (Jan 7, 2019)

All I can see in the openssl changelog for 1.1.0 is :

```
Removed DES and RC4 ciphersuites from DEFAULT.
```

They should still be accessible if I enable the "enable-weak-ssl-ciphers" option. It never hurts to try anyways.

How can I enable this open in the make.conf file?


----------



## gushi (Dec 23, 2020)

I know it's an old thread, but I just an across this, because openssl making this a compile-time, non-overrideable option is a pain in the butt when it's on your *nagios* system.

Looks like WEAK-SSL-CIPHERS=YES in make.conf should do it.

From there, you'd need to tell any other port to use the ports version rather than base.  I'm about to test this out myself.


----------



## Mayhem30 (Dec 23, 2020)

I gave up on this a long time ago, but happy to see someone take interest in it.

Please keep me posted.


----------



## gushi (Dec 23, 2020)

Okay, so after a bit of digging around -- it turns out that in order to be exposed in make.conf, there has to be some "glue" magic in /usr/ports/Mk to pass those options in.

That said, if you're looking for a *programmatic* way to do this (as I was), your best answer probably is:

mkdir /var/db/ports/security_openssl
echo "OPTIONS_FILE_SET+=WEAK-SSL-CIPHERS" >> /var/db/ports/security_openssl/options

If you want something persistent (as I do), your best answer might be to build your own port independently via poudriere. This is annoying because it means you'll have to custom-build anything ELSE you want to depend on that port via poudriere.

For my use case, newer openssl broke a nagios check for me that was checking a piece of hardware that had older crypto on it. Ultimately, my answer is going to be installing openssl-unsafe, and wrapping /usr/local/openssl-unsafe/bin/openssl -ciphers ALL, with a perl script, and coding a new Nagios plugin up. I mention this because it looks like the rabbit hole of older crypto being a COMPILE TIME (as opposed to something disabled in openssl.cnf or something.) is Just Too Annoying to fix.


----------

