mintls, maxtls, enclair, and cipher.

[Hal Murray]

>                                                                         The "enclair"
> option is intended to disable crypto negotiation so certificates are not
> required and traffic in sent en clair. 

Please verify with a TLS wizard that you can do what you are describing with 
OpenSSL.  I've poked around a bit and don't know how to do that.

I think you get an error if client/server can't find a matching crypto 
algorithm.  I don't know how to say no-crypto.  It sounds like the sort of 
operational bug-attractor that you would like to stamp out.

It's easy to setup a junk self-signed certificate for the server.  We could 
ship one to enable testing -- or waf could generate one on the fly.  I don't 
know if the server can run without a certificate.  Seems like a reasonable 
request, but a quick search found several questions without any answer.

It's easy for the client to not check the certificate.


-- 
These are my opinions.  I hate spam.