Question about TLS 1.3 and openssl -cipher aNULL option

Yury Mazin ymazin at opentext.com
Thu Sep 3 23:45:28 UTC 2020


Hello,

We have a server was originaly using OpenSSL 1.0.2h.
Server is configured to use SSL ciphers as following
ALL:!aNULL:!ADH:!EDH:!eNULL:!EXPORT
When openssl client tries to connect to this server with command
openssl s_client -connect localhost:8101-cipher aNULL
it fails, because any aNULL ciphers are not available per server configuration.
We have now upgraded server to use OpenSSL 1.1.1f.
The current behavior is this:  client can connect using the same command
openssl s_client -connect localhost:8101 -cipher aNULL
or
openssl s_client -tls1_3 -connect localhost:8101 -cipher aNULL

while the same connect attempt using TLS1.2 protocol would still fail

openssl s_client -tls1_2 -connect localhost:8001-cipher aNULL

Would the fact that I can connect to the server using TLS 1.3 using the following command (specifically, using -cipher aNULL, while server is configured to exclude all aNULL cipher suites) considered a security violation?

openssl s_client -tls1_3 -connect localhost:8001 -cipher aNULL

Also, if this a security violation, how this can be addressed in the server configuration?
Lastly, if this is not a security violation, please explain.

Thank you,

Yury Mazin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20200903/e69152ee/attachment.html>


More information about the openssl-users mailing list