On Mon, Feb 04, 2008 at 08:28:04AM -0800, JCA wrote:
> OK, I found it. In case this helps somebody out there, the way it
> works for me is the following:
>
> The client is invoked as
>
> openssl s_client -connect 127.0.0.1:443 -cipher COMPLEMENTOFALL:aNULL
>
> and the server as
>
> openssl s_server -msg -accept 443 -nocert -cipher COMPLEMENTOFALL:aNULL
>
> With this, the server accepts the TLS_RSA_WITH_NULL_SHA ciphersuite
> without complaints.
>
Completely wrong.
Now, you are asking not for "no encryption" (eNULL) ciphers, but
rather ciphers without certificates (i.e. aNULL) ciphers. The correct
syntax is:
ALL+aNULL
not
COMPLEMENTOFALL:aNULL
The TLS_RSA_WITH_NULL_SHA is an "eNULL" cipher, it is not an aNULL cipher,
and it requires a server certificate. As you provide no server cert, only
the aNULL ciphers are used.
With OpenSSL 0.9.8, the "ALL+aNULL" definition yields:
ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1
ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1
ADH-DES-CBC-SHA SSLv3 Kx=DH Au=None Enc=DES(56) Mac=SHA1
EXP-ADH-DES-CBC-SHA SSLv3 Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 export
ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5
EXP-ADH-RC4-MD5 SSLv3 Kx=DH(512) Au=None Enc=RC4(40) Mac=MD5 export
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
