[openssl-dev] s_client version 1.1 fails to handshake to s_server when -nocert option
Michel
michel.sales at free.fr
Mon Jan 25 16:36:37 UTC 2016
Thank you very much for your answer Viktor !
It works, using :
openssl s_server -nocert -cipher "ALL:@STRENGTH:@SECLEVEL=0"
openssl s_client -cipher "ALL:@STRENGTH:@SECLEVEL=0"
I was able to handshake a "AECDH-AES256-SHA" cipher.
:-)
I will try to investigate deeper around the SECLEVEL=... keyword that I
completely missed.
Regards,
Michel.
-----Message d'origine-----
De : openssl-dev [mailto:openssl-dev-bounces at openssl.org] De la part de
Viktor Dukhovni
Envoyé : lundi 25 janvier 2016 15:55
À : openssl-dev at openssl.org
Objet : Re: [openssl-dev] s_client version 1.1 fails to handshake to
s_server when -nocert option
> On Jan 10, 2016, at 8:39 AM, Michel <michel.sales at free.fr> wrote:
>
> but NOT with version 1.1-pre :
> openssl s_server -nocert -cipher "ALL:eNULL:@STRENGTH"
> openssl s_client -cipher "ALL:eNULL:@STRENGTH"
>
Try:
-cipher "ALL:eNULL:@STRENGTH:@SECLEVEL=0"
The default security level 1 disables aNULL ciphers.
Perhaps disabling aNULL via @SECLEVEL is not the right thing to do.
The semantics of SECLEVEL are not yet set in stone, and authentication is
quite separate from crypto security, so perhaps if you enable aNULL ciphers
you should get them. After all, even if certificates are used, nothing
forces you to verify them.
--
Viktor.
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
More information about the openssl-dev
mailing list