orca.pet

OpenSSL for legacy machines

A small how-to on configuring a modern Debian 11 "bullseye" for serving legacy SSL3, TLSv1 and TLSv1.1 machines like Windows 98 and XP boxes, or old consoles like the Nintendo DS Browser.

This tutorial assumes that you'd be using OpenSSL 3 and Apache 2.

  1. Download the source code for the OpenSSL package:

    apt-src install openssl
    cd openssl-*
    
  2. Enable weak ciphers (needed for 3DES suites) and disable tests:

    sed -ire "s/^(CONFARGS.*)/\1 enable-weak-ssl-ciphers no-tests/" debian/rules
    
  3. Build the package, with no signing:

    dpkg-buildpackage -uc -us
    
  4. Install the built package:

    dpkg -i ../*.deb
    
  5. Hold packages so they're not accidentally upgraded:

    sudo apt-mark hold libssl3 libssl-dev libssl-doc
    
  6. Test if client TLSv1 functionality works:

    openssl s_client -tls1 -cipher DES-CBC3-SHA@SECLEVEL=0 -connect google.com:443 </dev/null
    

    If so, this command should succeed.

  7. Create a new configuration file for the SSL settings. These settings are taken from the Mozilla SSL generator with one critical change: the SSLCipherString must have the @SECLEVEL=0 bit added, else 3DES cipher suites would not work even if explicitely listed there.

    sudo tee /etc/apache2/conf-available/mozilla-ssl.conf <<'EOF'
    SSLProtocol all -SSLv3
    SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA@SECLEVEL=0
    SSLHonorCipherOrder on
    SSLSessionTickets off
    
    SSLUseStapling on
    SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
    EOF
    
  8. Enable the configuration file:

    sudo ln -s /etc/apache2/conf-{available,enabled}/mozilla-ssl.conf
    
  9. Restart the Apache service:

    sudo service apache2 restart
    
  10. Finally test connection using the OpenSSL CLI to our own server:

    openssl s_client -tls1 -cipher DES-CBC3-SHA@SECLEVEL=0 -connect orca.pet:443 </dev/null
    

    If all went well, this command should succeed.