NULL ciphers

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

NULL ciphers

Detlef Vollmann
Hello,

with the following commands:

openssl s_server -accept 18010 -cert srv.crt -key test.key \
-CAfile testca.crt -debug -cipher 'NULL-SHA256' -dtls1_2

openssl s_client -connect localhost:18010 -cert clnt.crt \
  -key test.key -CAfile testca.crt -debug \
  -cipher 'COMPLEMENTOFALL:eNULL' -dtls1_2

NULL ciphers work fine with OpenSSL 1.0.2g.

With OpenSSL 1.1.1g the handshake fails on the server side with
140295725053248:error:14102438:SSL routines:dtls1_read_bytes:tlsv1 \
alert internal error:../ssl/record/rec_layer_d1.c:611:SSL alert number \
80

Even on OpenSSL 1.1.1g 'openssl ciphers -v  NULL' lists NULL-SHA256.

I'm only using s_server and s_client as tests, but I have the same
problem in my application if I use
  SSL_CTX_set_cipher_list(sslCtx, "NULL-SHA256");

What can I do to get NULL ciphers for no encryption working?

   Detlef
Reply | Threaded
Open this post in threaded view
|

Re: NULL ciphers

OpenSSL - User mailing list
On Thu, Aug 13, 2020 at 08:19:10PM +0200, Detlef Vollmann wrote:

> Hello,
>
> with the following commands:
>
> openssl s_server -accept 18010 -cert srv.crt -key test.key \
> -CAfile testca.crt -debug -cipher 'NULL-SHA256' -dtls1_2
>
> openssl s_client -connect localhost:18010 -cert clnt.crt \
>  -key test.key -CAfile testca.crt -debug \
>  -cipher 'COMPLEMENTOFALL:eNULL' -dtls1_2
>
> NULL ciphers work fine with OpenSSL 1.0.2g.
>
> With OpenSSL 1.1.1g the handshake fails on the server side with
> 140295725053248:error:14102438:SSL routines:dtls1_read_bytes:tlsv1 \
> alert internal error:../ssl/record/rec_layer_d1.c:611:SSL alert number \
> 80
>
> Even on OpenSSL 1.1.1g 'openssl ciphers -v  NULL' lists NULL-SHA256.
>
> I'm only using s_server and s_client as tests, but I have the same
> problem in my application if I use
>  SSL_CTX_set_cipher_list(sslCtx, "NULL-SHA256");
>
> What can I do to get NULL ciphers for no encryption working?

-cipher 'COMPLEMENTOFALL:eNULL@SECLEVEL=0'
Reply | Threaded
Open this post in threaded view
|

Re: NULL ciphers

Detlef Vollmann
On 2020-08-13 20:20, Benjamin Kaduk wrote:

> On Thu, Aug 13, 2020 at 08:19:10PM +0200, Detlef Vollmann wrote:
>> Hello,
>>
>> with the following commands:
>>
>> openssl s_server -accept 18010 -cert srv.crt -key test.key \
>> -CAfile testca.crt -debug -cipher 'NULL-SHA256' -dtls1_2
>>
>> openssl s_client -connect localhost:18010 -cert clnt.crt \
>>   -key test.key -CAfile testca.crt -debug \
>>   -cipher 'COMPLEMENTOFALL:eNULL' -dtls1_2
>>
>> NULL ciphers work fine with OpenSSL 1.0.2g.
>>
>> With OpenSSL 1.1.1g the handshake fails on the server side with
>> 140295725053248:error:14102438:SSL routines:dtls1_read_bytes:tlsv1 \
>> alert internal error:../ssl/record/rec_layer_d1.c:611:SSL alert number \
>> 80
>>
>> Even on OpenSSL 1.1.1g 'openssl ciphers -v  NULL' lists NULL-SHA256.
>>
>> I'm only using s_server and s_client as tests, but I have the same
>> problem in my application if I use
>>   SSL_CTX_set_cipher_list(sslCtx, "NULL-SHA256");
>>
>> What can I do to get NULL ciphers for no encryption working?
>
> -cipher 'COMPLEMENTOFALL:eNULL@SECLEVEL=0'

Wow, great :-)
Thanks a lot for this quick reply, it actually works :-)

   Detlef