On Wed, Mar 26, 2014 at 07:33:15AM -0700, Deepti Jindal wrote: > In continuation with post: > http://openssl.6102.n7.nabble.com/SSL-Verify-Question-tp17908.html > which says that with Anonymous ciphers, certificates won't be exchanged and > hence won't be verified.
Don't confuse eNULL (no encryption) with aNULL (no authentication). With OpenSSL 1.0.1e the only ciphersuite that is in both categories is: $ openssl version OpenSSL 1.0.1e 11 Feb 2013 $ openssl ciphers -v eNULL+aNULL AECDH-NULL-SHA SSLv3 Kx=ECDH Au=None Enc=None Mac=SHA1 > However, I do want to ensure sure that no matter what, I am never sending > requests to the server without verification. Will it be possible if my > application is using an eNULL cipher (with Authentication ciphers enabled)? > e.g. "TLS_RSA_WITH_NULL_SHA" If you append ":!aNULL" to your cipherlist", no unauthenticated ciphersuites will be negotiated. Of course you still need to arrange to verify the presented certificates, otherwise, they add no value. (There is of course also PSK, but we'll ignore that for now). > "Certificate exchange will be mandatory in case Authentication ciphers are > used": Is this statement correct? Yes, if by "Authentication ciphers" you mean "!aNULL", i.e. complement of the anonymous ciphers and we ignore PSK authentication. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org