Re: using NULL ciphers

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

> On Aug 22, 2018, at 1:56 PM, Qi Zeng <[hidden email]> wrote:
>
> I’m trying to use NULL cipher such as ECDHE-ECDSA-NULL-SHA for debugging purpose. With OpenSSL version 1.0.2p, I was able to make it work. However  with version 1.1.0i or 1.1.1 prev 9, SSL_CTX_set_cipher_list(ctx, "ECDHE-ECDSA-NULL-SHA") succeeded but SSL_Connect () failed. Is there any way to enable NULL ciphers with version 1.1.0i or later?

Yes, you need to use:

   "ECDHE-ECDSA-NULL-SHA:@SECLEVEL=0"

at present there are no separate controls to distinguish between the
authentication security level and the encryption security level, so
this also removes floors on the keys used in the certificates, but
for debugging that should not be an obstacle...

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

On Wed, Aug 22, 2018 at 02:08:42PM -0400, Viktor Dukhovni wrote:
With 1.1.1 pre 9 you also might try to be using TLS 1.3, and that
does not support a NULL cipher.


Kurt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Viktor and Kurt,

Thanks for the help! Now it's working.

Qi

-----Original Message-----
From: openssl-users [mailto:[hidden email]] On Behalf Of Kurt Roeckx
Sent: Wednesday, August 22, 2018 2:12 PM
To: [hidden email]
Subject: Re: [openssl-users] using NULL ciphers

On Wed, Aug 22, 2018 at 02:08:42PM -0400, Viktor Dukhovni wrote:
With 1.1.1 pre 9 you also might try to be using TLS 1.3, and that
does not support a NULL cipher.


Kurt

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users