[openssl-dev] s_client version 1.1 fails to handshake to s_server when -nocert option

Viktor Dukhovni openssl-users at dukhovni.org
Mon Jan 25 14:54:49 UTC 2016


> On Jan 10, 2016, at 8:39 AM, Michel <michel.sales at free.fr> wrote:
> 
> but NOT with version 1.1-pre : 
> openssl s_server -nocert -cipher "ALL:eNULL:@STRENGTH"
> openssl s_client  -cipher "ALL:eNULL:@STRENGTH"
>  

Try:

	-cipher "ALL:eNULL:@STRENGTH:@SECLEVEL=0"

The default security level 1 disables aNULL ciphers.

Perhaps disabling aNULL via @SECLEVEL is not the right thing to do.
The semantics of SECLEVEL are not yet set in stone, and authentication
is quite separate from crypto security, so perhaps if you enable aNULL
ciphers you should get them.  After all, even if certificates are used,
nothing forces you to verify them.

-- 
	Viktor.





More information about the openssl-dev mailing list