testing null encryption

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

testing null encryption

navin gopalakrishnan
Hi,

I am using openssl-1.0.0d. downloaded the source and built the library.
Can anyone suggest how to do the following:

a) testing NULL Encryption:
   While building openssl i modified the macro SSL_DEFAULT_CIPHER_LIST to
   #define SSL_DEFAULT_CIPHER_LIST "eNULL"
My understanding is the above modification  would provide only data authentication with NO encryption.
Am i right? Is there a way to check this by running any test programs. If any such program is already provided
along with the package .would be good to use them.
Kindly let me know if there is any option.

b) build openssl with no compression/decompression support in openssl. 
  While building openssl passed "no-zlib" option in the configure script and build went fine.
  How am i to ensure the library is built with no compression/de-compression routines.

Thanks.

have a nice day,
navin

 
Reply | Threaded
Open this post in threaded view
|

disabling encryption

navin gopalakrishnan
Hi,
   I am using openssl-1.0.0d.

I would prefer to disable encryption in the ssl protocol and have only authentication & integrity.
ie application data is sent without encryption.

Is there a way to do this is in openssl?

Does usage of eNULL in the default cipherlist provides this?

Thanks.

have a nice day,
navin

 


Reply | Threaded
Open this post in threaded view
|

Re: testing null encryption

Victor Duchovni
In reply to this post by navin gopalakrishnan
On Wed, Jul 27, 2011 at 02:53:09AM -0700, navin gopalakrishnan wrote:

> a) testing NULL Encryption:
>
> While building openssl i modified the macro SSL_DEFAULT_CIPHER_LIST to
> #define SSL_DEFAULT_CIPHER_LIST "eNULL"

That was unwise, don't do that.

> My understanding is the above modification? would provide only data authentication with NO encryption.

Or possibly neither:

    $ openssl ciphers -v eNULL
    ECDHE-RSA-NULL-SHA      SSLv3 Kx=ECDH     Au=RSA  Enc=None      Mac=SHA1
    ECDHE-ECDSA-NULL-SHA    SSLv3 Kx=ECDH     Au=ECDSA Enc=None      Mac=SHA1
    AECDH-NULL-SHA          SSLv3 Kx=ECDH     Au=None Enc=None      Mac=SHA1
    ECDH-RSA-NULL-SHA       SSLv3 Kx=ECDH/RSA Au=ECDH Enc=None      Mac=SHA1
    ECDH-ECDSA-NULL-SHA     SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=None      Mac=SHA1
    NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
    NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5

as you can see above, the AECDH-NULL-SHA cipher provides neither
authentication nor encryption, just message integrity over an anonymous
channel.

> Is there a way to check this by running any test programs.

You should not change the DEFAULT cipher list. Rather, applications can
be configured with appropriate ciphers at run-time. The ciphers(1)
utility, by default lists the DEFAULT ciphers.

        $ openssl ciphers
        $ openssl ciphers -v

> b) build openssl with no compression/decompression support in openssl.?

You could read the "INSTALL" document that is included with the source
code.

> While building openssl passed "no-zlib" option in the configure script and build went fine.

This is documented to do what you requested.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: disabling encryption

yyy-2
In reply to this post by navin gopalakrishnan
Yeah, it does seems to do that. I tested it with s_client and s_server, (s_server with -cipher eNULL),
and if client also were not with -cipher -eNULL, then connection failed.
So, there might be need to explicitly configure both ends of connection.
 


Citējot navin gopalakrishnan [hidden email]:
Hi,
   I am using openssl-1.0.0d.

I would prefer to disable encryption in the ssl protocol and have only authentication & integrity.
ie application data is sent without encryption.

Is there a way to do this is in openssl?

Does usage of eNULL in the default cipherlist provides this?

Thanks.
 
have a nice day,
navin
 
 
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: testing null encryption

navin gopalakrishnan
In reply to this post by Victor Duchovni
hi,

  thanks for the info victor.

played with the openssl command line utility using the s_client & s_server being configured to use eNULL with only NULL_SHA , NULL_MD5. The other ciphers of eNULL are disabled.
I could see the client sending the above ciphers and the server selecting NULL_SHA.  Whatever i type at the server i could see that message in the client terminal.
hence i assume the exchange between client & server does happen.

I have two queries:
1) When i use my own applications (client & server) which uses the openssl library a separate client program and a separate server program,both configured to use only eNULL as above. (ie  with only NULL_SHA & NULL_MD5),
 i am seeing a error at the server application saying:

     Error in GET_CLIENT_HELLO_MSG: No shared ciphers: in s_srvr.c .....

I feel there is something missing in my client & server applications compared to the openssl client & server programs.
Unable to understand what the error message is saying .. i was expecting that since both my client & server have the common ciphers - NULL_SHA & NULL_MD5,
one of them to get selected and the handshake should get completed....

can somebody tell what the error messages convey in my application.


2) Getting back to the client & server programs supplied along with the openssl package. When eNULL was configured as mentioned above, ran the wireshark
packet capture utility.
typed " hello world" at the server and the "hello world" was reflected in the client.

Was expecting "hello world" to be seen in clear text because NULL encryption is used.
But in wireshark i could not see anything in clear text .. Atleast i could not see "hello world" in the application data section of wireshark.
Rightly application data was after the client hello exchange messages sent by the ssl protocol.

wondering why clear text message was not seen .... does any form of encoding is used by the client & server.??

Thanks.
have a nice day,
navin








From: Victor Duchovni <[hidden email]>
To: "[hidden email]" <[hidden email]>
Sent: Wednesday, 27 July 2011, 20:20
Subject: Re: testing null encryption

On Wed, Jul 27, 2011 at 02:53:09AM -0700, navin gopalakrishnan wrote:

> a) testing NULL Encryption:
>
> While building openssl i modified the macro SSL_DEFAULT_CIPHER_LIST to
> #define SSL_DEFAULT_CIPHER_LIST "eNULL"

That was unwise, don't do that.

> My understanding is the above modification? would provide only data authentication with NO encryption.

Or possibly neither:

    $ openssl ciphers -v eNULL
    ECDHE-RSA-NULL-SHA      SSLv3 Kx=ECDH    Au=RSA  Enc=None      Mac=SHA1
    ECDHE-ECDSA-NULL-SHA    SSLv3 Kx=ECDH    Au=ECDSA Enc=None      Mac=SHA1
    AECDH-NULL-SHA          SSLv3 Kx=ECDH    Au=None Enc=None      Mac=SHA1
    ECDH-RSA-NULL-SHA      SSLv3 Kx=ECDH/RSA Au=ECDH Enc=None      Mac=SHA1
    ECDH-ECDSA-NULL-SHA    SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=None      Mac=SHA1
    NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
    NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5

as you can see above, the AECDH-NULL-SHA cipher provides neither
authentication nor encryption, just message integrity over an anonymous
channel.

> Is there a way to check this by running any test programs.

You should not change the DEFAULT cipher list. Rather, applications can
be configured with appropriate ciphers at run-time. The ciphers(1)
utility, by default lists the DEFAULT ciphers.

    $ openssl ciphers
    $ openssl ciphers -v

> b) build openssl with no compression/decompression support in openssl.?

You could read the "INSTALL" document that is included with the source
code.

> While building openssl passed "no-zlib" option in the configure script and build went fine.

This is documented to do what you requested.

--
    Viktor.
______________________________________________________________________
OpenSSL Project                                http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                          [hidden email]


Reply | Threaded
Open this post in threaded view
|

Re: testing null encryption

Victor Duchovni
On Thu, Jul 28, 2011 at 09:14:34AM -0700, navin gopalakrishnan wrote:

> 1) When i use my own applications (client & server) which uses
> the openssl library a separate client program and a separate server
> program, both configured to use only eNULL as above. (i.e. with only
> NULL_SHA & NULL_MD5),

The ciphers are "NULL-SHA" and "NULL-MD5", not "NULL_SHA" or "NULL_MD5".

    $ openssl ciphers -v NULL-SHA:NULL-MD5
    NULL-SHA                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=SHA1
    NULL-MD5                SSLv3 Kx=RSA      Au=RSA  Enc=None      Mac=MD5

> I am seeing a error at the server application saying:
>
> ???? Error in GET_CLIENT_HELLO_MSG: No shared ciphers: in s_srvr.c .....

Then perhaps you have not installed a suitable server certificate, or
more likely you have not in fact correctly configured the client or
server cipherlist.

> Unable to understand what the error message is saying .. i was expecting that since both my client & server have the common ciphers - NULL_SHA & NULL_MD5,
> one of them to get selected and the handshake should get completed....

Either the server has no certificate, or you've misconfigured the
ciphers:

> 2) Getting back to the client & server programs supplied along with the openssl package. When eNULL was configured as mentioned above, ran the wireshark
> packet capture utility.
> typed " hello world" at the server and the "hello world" was reflected in the client.
>
>
> Was expecting "hello world" to be seen in clear text because NULL encryption is used.
>
> But in wireshark i could not see anything in clear text .. Atleast i could not see "hello world" in the application data section of wireshark.
> Rightly application data was after the client hello exchange messages sent by the ssl protocol.
>
> wondering why clear text message was not seen .... does any form of encoding is used by the client & server.??

Compression may have been enabled. Or your test is flawed.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: testing null encryption

yyy-2
In reply to this post by navin gopalakrishnan

I also tried the same, and although wireshark labeled these data as

"encrypted application data", the text next to hex data in bottom window

contained unencrypted data. There were something added in the end, though.

(negotiated ciphersuite were NULL-SHA).



> 2) Getting back to the client & server programs supplied along with the openssl package. When eNULL was configured as mentioned above, ran the wireshark

> packet capture utility.

> typed " hello world" at the server and the "hello world" was reflected in the client.

>

> Was expecting "hello world" to be seen in clear text because NULL encryption is used.

> But in wireshark i could not see anything in clear text .. Atleast i could not see "hello world" in the application data section of wireshark.

> Rightly application data was after the client hello exchange messages sent by the ssl protocol.

>

> wondering why clear text message was not seen .... does any form of encoding is used by the client & server.??



______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [hidden email] Automated List Manager [hidden email]