On Thu, Jun 12, 2014, Viktor Dukhovni wrote: > When I compile Postfix against OpenSSL 1.0.2-beta or earlier, and > configure the SMTP server to not have any certificates, the Postfix > client and server happily negotiate a suitable aNULL ciphersuite > (e.g. AECDH-AES256-SHA). > > When I compile against "master", with the same configuration, I get > on the server: > > SSL3 alert write:fatal:handshake failure > SSL_accept:error in SSLv3 read client hello C > error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared > cipher:s3_srvr.c:1435: > > The 15 ciphers reported by: > > $ openssl ciphers -v 'aNULL:!EXPORT:!LOW:!eNULL:@STRENGTH' > AECDH-AES256-SHA SSLv3 Kx=ECDH Au=None Enc=AES(256) Mac=SHA1 > ADH-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=None Enc=AESGCM(256) Mac=AEAD > ADH-AES256-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(256) Mac=SHA256 > ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1 > ADH-CAMELLIA256-SHA SSLv3 Kx=DH Au=None Enc=Camellia(256) Mac=SHA1 > AECDH-AES128-SHA SSLv3 Kx=ECDH Au=None Enc=AES(128) Mac=SHA1 > ADH-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=None Enc=AESGCM(128) Mac=AEAD > ADH-AES128-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(128) Mac=SHA256 > ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1 > ADH-SEED-SHA SSLv3 Kx=DH Au=None Enc=SEED(128) Mac=SHA1 > ADH-CAMELLIA128-SHA SSLv3 Kx=DH Au=None Enc=Camellia(128) Mac=SHA1 > AECDH-RC4-SHA SSLv3 Kx=ECDH Au=None Enc=RC4(128) Mac=SHA1 > ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5 > AECDH-DES-CBC3-SHA SSLv3 Kx=ECDH Au=None Enc=3DES(168) Mac=SHA1 > ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1 > > are somehow suppressed by the "master" client library. Is this > somehow related to the new "security levels"? Something else? >
Yes. The default security levels disable anonymous ciphersuites. If you use the new -s option to "ciphers" you'll see this. Setting the security level to zero either in the API of the cipherstring will make them work again. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org