Re: using NULL ciphers

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: using NULL ciphers

Qi Zeng

Hello,

 

I’m trying to use NULL cipher such as ECDHE-ECDSA-NULL-SHA for debugging purpose. With OpenSSL version 1.0.2p, I was able to make it work. However  with version 1.1.0i or 1.1.1 prev 9, SSL_CTX_set_cipher_list(ctx, "ECDHE-ECDSA-NULL-SHA") succeeded but SSL_Connect () failed. Is there any way to enable NULL ciphers with version 1.1.0i or later?

 

Thanks,

Qi


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: using NULL ciphers

Viktor Dukhovni


> On Aug 22, 2018, at 1:56 PM, Qi Zeng <[hidden email]> wrote:
>
> I’m trying to use NULL cipher such as ECDHE-ECDSA-NULL-SHA for debugging purpose. With OpenSSL version 1.0.2p, I was able to make it work. However  with version 1.1.0i or 1.1.1 prev 9, SSL_CTX_set_cipher_list(ctx, "ECDHE-ECDSA-NULL-SHA") succeeded but SSL_Connect () failed. Is there any way to enable NULL ciphers with version 1.1.0i or later?

Yes, you need to use:

   "ECDHE-ECDSA-NULL-SHA:@SECLEVEL=0"

at present there are no separate controls to distinguish between the
authentication security level and the encryption security level, so
this also removes floors on the keys used in the certificates, but
for debugging that should not be an obstacle...

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: using NULL ciphers

Kurt Roeckx
On Wed, Aug 22, 2018 at 02:08:42PM -0400, Viktor Dukhovni wrote:

>
>
> > On Aug 22, 2018, at 1:56 PM, Qi Zeng <[hidden email]> wrote:
> >
> > I’m trying to use NULL cipher such as ECDHE-ECDSA-NULL-SHA for debugging purpose. With OpenSSL version 1.0.2p, I was able to make it work. However  with version 1.1.0i or 1.1.1 prev 9, SSL_CTX_set_cipher_list(ctx, "ECDHE-ECDSA-NULL-SHA") succeeded but SSL_Connect () failed. Is there any way to enable NULL ciphers with version 1.1.0i or later?
>
> Yes, you need to use:
>
>    "ECDHE-ECDSA-NULL-SHA:@SECLEVEL=0"
>
> at present there are no separate controls to distinguish between the
> authentication security level and the encryption security level, so
> this also removes floors on the keys used in the certificates, but
> for debugging that should not be an obstacle...

With 1.1.1 pre 9 you also might try to be using TLS 1.3, and that
does not support a NULL cipher.


Kurt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: using NULL ciphers

Qi Zeng
Viktor and Kurt,

Thanks for the help! Now it's working.

Qi

-----Original Message-----
From: openssl-users [mailto:[hidden email]] On Behalf Of Kurt Roeckx
Sent: Wednesday, August 22, 2018 2:12 PM
To: [hidden email]
Subject: Re: [openssl-users] using NULL ciphers

On Wed, Aug 22, 2018 at 02:08:42PM -0400, Viktor Dukhovni wrote:

>
>
> > On Aug 22, 2018, at 1:56 PM, Qi Zeng <[hidden email]> wrote:
> >
> > I’m trying to use NULL cipher such as ECDHE-ECDSA-NULL-SHA for debugging purpose. With OpenSSL version 1.0.2p, I was able to make it work. However  with version 1.1.0i or 1.1.1 prev 9, SSL_CTX_set_cipher_list(ctx, "ECDHE-ECDSA-NULL-SHA") succeeded but SSL_Connect () failed. Is there any way to enable NULL ciphers with version 1.1.0i or later?
>
> Yes, you need to use:
>
>    "ECDHE-ECDSA-NULL-SHA:@SECLEVEL=0"
>
> at present there are no separate controls to distinguish between the
> authentication security level and the encryption security level, so
> this also removes floors on the keys used in the certificates, but
> for debugging that should not be an obstacle...

With 1.1.1 pre 9 you also might try to be using TLS 1.3, and that
does not support a NULL cipher.


Kurt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users