mintls, maxtls, enclair, and cipher.
Kurt Roeckx
kurt at roeckx.be
Sun Feb 3 21:31:26 UTC 2019
On Sun, Feb 03, 2019 at 03:15:55PM -0600, Richard Laager via devel wrote:
> On 2/3/19 1:01 PM, Eric S. Raymond wrote:
> > I guess it will have to be an empty string that disables encryption.
>
> I'm not sure if you wrote this before the recent messages on the NULL
> ciphers. But you said you were going to use that, so...
>
> It's not an empty string... the NULL ciphers have specific names that
> are valid in an OpenSSL ciper string.
>
> See `openssl ciphers -v 'NULL'`.
>
> You would use:
> ciphers NULL
>
> or something more specific if you want:
> ciphers NULL-SHA256
>
> That would select a NULL cipher.
Note that by default that doesn't work. You need to lower the
security level to 0. You can do that with NULL at SECLEVEL=0:
$ openssl ciphers -tls1_2 -s -v NULL at SECLEVEL=0
ECDHE-ECDSA-NULL-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=None Mac=SHA1
ECDHE-RSA-NULL-SHA TLSv1 Kx=ECDH Au=RSA Enc=None Mac=SHA1
AECDH-NULL-SHA TLSv1 Kx=ECDH Au=None Enc=None Mac=SHA1
NULL-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=None Mac=SHA256
NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1
NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5
Note that I've added the -s option, which limits it to the usable
ciphers, and I've added -tls1_2 to prevent it from showing TLS 1.3
ciphers.
Note that TLS 1.3 does not support a NULL cipher.
Kurt
More information about the devel
mailing list