Question about TLS 1.3 and openssl -cipher aNULL option
Yury Mazin
ymazin at opentext.com
Thu Sep 3 23:45:28 UTC 2020
Hello,
We have a server was originaly using OpenSSL 1.0.2h.
Server is configured to use SSL ciphers as following
ALL:!aNULL:!ADH:!EDH:!eNULL:!EXPORT
When openssl client tries to connect to this server with command
openssl s_client -connect localhost:8101-cipher aNULL
it fails, because any aNULL ciphers are not available per server configuration.
We have now upgraded server to use OpenSSL 1.1.1f.
The current behavior is this: client can connect using the same command
openssl s_client -connect localhost:8101 -cipher aNULL
or
openssl s_client -tls1_3 -connect localhost:8101 -cipher aNULL
while the same connect attempt using TLS1.2 protocol would still fail
openssl s_client -tls1_2 -connect localhost:8001-cipher aNULL
Would the fact that I can connect to the server using TLS 1.3 using the following command (specifically, using -cipher aNULL, while server is configured to exclude all aNULL cipher suites) considered a security violation?
openssl s_client -tls1_3 -connect localhost:8001 -cipher aNULL
Also, if this a security violation, how this can be addressed in the server configuration?
Lastly, if this is not a security violation, please explain.
Thank you,
Yury Mazin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20200903/e69152ee/attachment.html>
More information about the openssl-users
mailing list