Hello, > Hi, this might sound like an odd question, but I'm trying to figure > out if there's a way to "use" openssl without actually encrypting > anything. Of course, SSL/TLS consists of three purposes: - peer authentication (where, for example, RSA is used) - data encryption (DES, AES ...) - data integrity (SHA1, MD5)
> We have a group of users here who wish to send email through > Thunderbird to a SMTP server (sendmail) that requires SSL/TLS > authentication/encryption. The complaint is that it takes too long for > Thunderbird to encrypt large attachments when sending email. > Email content security isn't a major concern in our situation but we > do want to keep the SSL/TLS authentication in order to prevent > others outside the group from relaying through the SMTP server. > Sendmail depends on openssl for the SSL/TLS portion, so I'm > trying to figure out if there's a way we can modify the SMTP server > to not attempt or require encryption from the email clients while > leaving the basic structure (sendmail/openssl) in place. Maybe set > the encryption strength to zero bits or something similar? I'm not > too openssl savvy, so any details would be greatly appreciated. If you want to not encrypt your data, but you want to have client authentication (with RSA key) you may use eNULL cipher: $ openssl ciphers -v eNULL NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1 NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5 this means that if server wants to verify client authentication than RSA key will be used, after proper authentication data transfered between peers will be no encrypted (Enc=Null) but data integrity will be checked/preserved (Mac=SHA1,MD5) which means that modification of this data will by third party will be detected and in such case SSL tunnel will be disconnected (and peers notified). In this situation, key_material will be generated but only keys for data integrity (HMAC for TSL1 for example) will be used. Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
