On Wed, Mar 26, 2014 at 07:33:15AM -0700, Deepti Jindal wrote:
> In continuation with post:
> http://openssl.6102.n7.nabble.com/SSL-Verify-Question-tp17908.html
> which says that with Anonymous ciphers, certificates won't be exchanged and
> hence won't be verified.
Don't confuse eNULL (no encryption) with aNULL (no authentication).
With OpenSSL 1.0.1e the only ciphersuite that is in both categories is:
$ openssl version
OpenSSL 1.0.1e 11 Feb 2013
$ openssl ciphers -v eNULL+aNULL
AECDH-NULL-SHA SSLv3 Kx=ECDH Au=None Enc=None Mac=SHA1
> However, I do want to ensure sure that no matter what, I am never sending
> requests to the server without verification. Will it be possible if my
> application is using an eNULL cipher (with Authentication ciphers enabled)?
> e.g. "TLS_RSA_WITH_NULL_SHA"
If you append ":!aNULL" to your cipherlist", no unauthenticated
ciphersuites will be negotiated. Of course you still need to
arrange to verify the presented certificates, otherwise, they
add no value. (There is of course also PSK, but we'll ignore
that for now).
> "Certificate exchange will be mandatory in case Authentication ciphers are
> used": Is this statement correct?
Yes, if by "Authentication ciphers" you mean "!aNULL", i.e. complement
of the anonymous ciphers and we ignore PSK authentication.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
