Problem

-- Want to ensure that Gateway does not allow 2TDES within 3DES and only supports 3TDES

Resolution

* 3DES key material is generated at handshake time according to a well defined algorithm (RFC for TLS1, 1.1, 1.2).

* The key generation is made the same way on client and server side.

* The input is a combination between client and server random, some text label and the master secret agreed during handshake.

* All this input is passed through the same "pseudo-random function" (PRF) both on client and server side and same key material results on both sides.

* If, for 3DES Gateway requires 24 bytes key length, it's expected PRF to provide 24 bytes key material which is not repetitive.

* After that, the 3DES cryptographic operations are implemented in OpenSSL.

* Gateway does do not make any check on the resulting key material to see if it obtained 2DES.

* If Gateway requires 24 bytes of symmetric key, then SHA2, SHA1 or MD5 or whatever hash operation (or combination of the above) are used for the PRF implementation (depending on the TLS version) should provide such key.

* The hash operation implementations are also the ones provided by OpenSSL library.

Based on the above details, the key generation method of Gateway indeed yields 3TDES.