OpenSSL Configuration

Since our release of Kali Linux 2021.3 OpenSSL has been configured for wider compatibility to allow Kali to talk to as many services as possible. This means that legacy protocols (such as TLS 1.0 and TLS 1.1) and older ciphers are enabled by default. This is a change from standard behavior, as these are disabled to enforce communication over more secure channels. As a result of this change tools used inside of Kali will be able to communicate using these outdated methods. This is done to help increase Kali’s ability to talk to older, obsolete systems and servers that are still using these older protocols. Older services using this may be at end of life, thus increasing the chances of discovering vulnerabilities or other problems.

However, if you would rather keep your communication as secure as possible using today’s modern standards, you can enable the Strong Security mode.

These settings can be changed easily using the kali-tweaks tool. Simply:

  • Open a terminal and run kali-tweaks.
  • From there, select the Hardening menu.
  • Now you can choose between Wide Compatibility (the default) and Strong Security.

Note: This is achieved by changing the OpenSSL configuration through /etc/ssl/openssl.cnf and /etc/ssl/kali.cnf, so while it can restore access to some legacy services, it will not allow access to servers running protocols that are no longer compiled in the libssl library (for example SSLv3).

Updated on: 2022-Jan-24
Authors: arnaudr , elwood-offsec , g0tmi1k , rhertzog