Unable to select NULL or NULL-MD5

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Unable to select NULL or NULL-MD5

Eric Jacksch
Greetings,

I'm using OpenSSL for testing and recently compiled 1.1.0g and h. I'm seeing the same behaviour in both. 

openssl ciphers -v list the NULL ciphers, but when I try to use NULL or NULL-MD5 I get the same result:  No ciphers available.

I've tried several compile options to no avail.

Can anyone point me in the right direction?

Thanks!


./openssl s_client -connect x.x.x.x:443 -cipher NULL

CONNECTED(00000003)

140735917126464:error:141640B5:SSL routines:tls_construct_client_hello:no ciphers available:ssl/statem/statem_clnt.c:800:

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 0 bytes and written 0 bytes

Verification: OK

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : 0000

    Session-ID: 

    Session-ID-ctx: 

    Master-Key: 

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1522278574

    Timeout   : 7200 (sec)

    Verify return code: 0 (ok)

    Extended master secret: no

---

--
Eric Jacksch, CPP, CISM, CISSP
+1 613 482-7650
[hidden email]
Twitter: @EricJacksch
https://SecurityShelf.com

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Unable to select NULL or NULL-MD5

Matt Caswell-2


On 29/03/18 00:14, Eric Jacksch wrote:

> Greetings,
>
> I'm using OpenSSL for testing and recently compiled 1.1.0g and h. I'm
> seeing the same behaviour in both. 
>
> openssl ciphers -v list the NULL ciphers, but when I try to use NULL or
> NULL-MD5 I get the same result:  No ciphers available.
>
> I've tried several compile options to no avail.
>
> Can anyone point me in the right direction?
>
> Thanks!
>
>
> ./openssl s_client -connect x.x.x.x:443 -cipher NULL

Change you cipher list to be `-cipher NULL:@SECLEVEL=0`. If your server
is also running OpenSSL then you'll need to enable it there as well.

The default security level is 1, which disables NULL ciphers amongst
various other things.

Matt





>
> CONNECTED(00000003)
>
> 140735917126464:error:141640B5:SSL
> routines:tls_construct_client_hello:no ciphers
> available:ssl/statem/statem_clnt.c:800:
>
> ---
>
> no peer certificate available
>
> ---
>
> No client certificate CA names sent
>
> ---
>
> SSL handshake has read 0 bytes and written 0 bytes
>
> Verification: OK
>
> ---
>
> New, (NONE), Cipher is (NONE)
>
> Secure Renegotiation IS NOT supported
>
> Compression: NONE
>
> Expansion: NONE
>
> No ALPN negotiated
>
> SSL-Session:
>
>     Protocol  : TLSv1.2
>
>     Cipher    : 0000
>
>     Session-ID: 
>
>     Session-ID-ctx: 
>
>     Master-Key: 
>
>     PSK identity: None
>
>     PSK identity hint: None
>
>     SRP username: None
>
>     Start Time: 1522278574
>
>     Timeout   : 7200 (sec)
>
>     Verify return code: 0 (ok)
>
>     Extended master secret: no
>
> ---
>
> --
> Eric Jacksch, CPP, CISM, CISSP
> +1 613 482-7650
> [hidden email] <mailto:[hidden email]>
> Twitter: @EricJacksch
> https://SecurityShelf.com <https://securityshelf.com/>
>
>
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Unable to select NULL or NULL-MD5

OpenSSL - User mailing list
In reply to this post by Eric Jacksch

>openssl ciphers -v list the NULL ciphers, but when I try to use NULL or NULL-MD5 I get the same result:  No ciphers available.

 

You have to configure with a cipher string that has “@SECLEVEL=0” in it.


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: Unable to select NULL or NULL-MD5

Viktor Dukhovni
In reply to this post by Eric Jacksch


> On Mar 28, 2018, at 7:14 PM, Eric Jacksch <[hidden email]> wrote:
>
> I'm using OpenSSL for testing and recently compiled 1.1.0g and h. I'm seeing the same behaviour in both.
>
> openssl ciphers -v list the NULL ciphers, but when I try to use NULL or NULL-MD5 I get the same result:  No ciphers available.
>
> I've tried several compile options to no avail.

To use eNULL ciphers you must set the security level to 0:

$ openssl ciphers -s -tls1_2 -v eNULL:@SECLEVEL=0
ECDHE-ECDSA-NULL-SHA    TLSv1 Kx=ECDH     Au=ECDSA Enc=None      Mac=SHA1
ECDHE-RSA-NULL-SHA      TLSv1 Kx=ECDH     Au=RSA  Enc=None      Mac=SHA1
AECDH-NULL-SHA          TLSv1 Kx=ECDH     Au=None Enc=None      Mac=SHA1
NULL-SHA256             TLSv1.2 Kx=RSA      Au=RSA  Enc=None      Mac=SHA256
NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users