[openssl-users] How to use ADH with OpenSSL 1.1.0

Viktor Dukhovni openssl-users at dukhovni.org
Thu Apr 12 17:05:38 UTC 2018

> On Apr 12, 2018, at 7:12 AM, Frykenvall, Per <per.frykenvall at cgi.com> wrote:
> Then I tried adding :@SECLEVEL=0 to my cipher suite list. That made the trick, but as far as I understand, it switches off some other cipher checks. What's the recommended way of allowing ADH?

For now just @SECLEVEL=0.  There's not yet a more fine-grained to set the security level for crypto parameters but allow certificate-less key exchange.  If you're willing to allow MiTM attacks, then downgrades are of scope, and the peers will negotiate the best available ciphers, so @SECLEVEL=0 is probably fine, you'll still get strong ciphers.
You can also limit the cipher list to exclude anything you feel is too weak to offer.


More information about the openssl-users mailing list