On Sun, Feb 03, 2019 at 03:15:55PM -0600, Richard Laager via devel wrote: > On 2/3/19 1:01 PM, Eric S. Raymond wrote: > > I guess it will have to be an empty string that disables encryption. > > I'm not sure if you wrote this before the recent messages on the NULL > ciphers. But you said you were going to use that, so... > > It's not an empty string... the NULL ciphers have specific names that > are valid in an OpenSSL ciper string. > > See `openssl ciphers -v 'NULL'`. > > You would use: > ciphers NULL > > or something more specific if you want: > ciphers NULL-SHA256 > > That would select a NULL cipher.
Note that by default that doesn't work. You need to lower the security level to 0. You can do that with NULL@SECLEVEL=0: $ openssl ciphers -tls1_2 -s -v NULL@SECLEVEL=0 ECDHE-ECDSA-NULL-SHA TLSv1 Kx=ECDH Au=ECDSA Enc=None Mac=SHA1 ECDHE-RSA-NULL-SHA TLSv1 Kx=ECDH Au=RSA Enc=None Mac=SHA1 AECDH-NULL-SHA TLSv1 Kx=ECDH Au=None Enc=None Mac=SHA1 NULL-SHA256 TLSv1.2 Kx=RSA Au=RSA Enc=None Mac=SHA256 NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1 NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5 Note that I've added the -s option, which limits it to the usable ciphers, and I've added -tls1_2 to prevent it from showing TLS 1.3 ciphers. Note that TLS 1.3 does not support a NULL cipher. Kurt _______________________________________________ devel mailing list [email protected] http://lists.ntpsec.org/mailman/listinfo/devel
