[openssl-users] using NULL ciphers

Kurt Roeckx kurt at roeckx.be
Wed Aug 22 18:12:24 UTC 2018


On Wed, Aug 22, 2018 at 02:08:42PM -0400, Viktor Dukhovni wrote:
> 
> 
> > On Aug 22, 2018, at 1:56 PM, Qi Zeng <qzeng at odva.org> wrote:
> > 
> > I’m trying to use NULL cipher such as ECDHE-ECDSA-NULL-SHA for debugging purpose. With OpenSSL version 1.0.2p, I was able to make it work. However  with version 1.1.0i or 1.1.1 prev 9, SSL_CTX_set_cipher_list(ctx, "ECDHE-ECDSA-NULL-SHA") succeeded but SSL_Connect () failed. Is there any way to enable NULL ciphers with version 1.1.0i or later?
> 
> Yes, you need to use:
> 
>    "ECDHE-ECDSA-NULL-SHA:@SECLEVEL=0"
> 
> at present there are no separate controls to distinguish between the
> authentication security level and the encryption security level, so
> this also removes floors on the keys used in the certificates, but
> for debugging that should not be an obstacle...

With 1.1.1 pre 9 you also might try to be using TLS 1.3, and that
does not support a NULL cipher.


Kurt



More information about the openssl-users mailing list