[openssl-dev] s_client version 1.1 fails to handshake to s_server when -nocert option
Viktor Dukhovni
openssl-users at dukhovni.org
Mon Jan 25 17:47:32 UTC 2016
> On Jan 25, 2016, at 11:36 AM, Michel <michel.sales at free.fr> wrote:
>
> Thank you very much for your answer Viktor !
> It works, using :
> openssl s_server -nocert -cipher "ALL:@STRENGTH:@SECLEVEL=0"
> openssl s_client -cipher "ALL:@STRENGTH:@SECLEVEL=0"
> I was able to handshake a "AECDH-AES256-SHA" cipher.
> :-)
> I will try to investigate deeper around the SECLEVEL=... keyword that I
> completely missed.
It is a very new feature and easy to miss amidst all other other new
features. I am currently working on fixing some corner cases in this
very code, so this is a good time to discuss whether @SECLEVEL should
have any bearing on aNULL support. My instinct is that it should not,
and I'm going to submit code that allows one to set a floor on the
various crypto primitives allowed even for aNULL connections (which
may be authenticated by other means).
--
Viktor.
More information about the openssl-dev
mailing list