i'm using "openssl 1.0.1j 15 Oct 2014" s_client and s_server to test out TLS and DTLS with ECDHE, e.g.
s_server -dtls1 -accept 8000 -cert ecdsa_cert.pem -key ecdsa_key.pem -cipher "ECDHE-ECDSA-AES256-SHA" and s_client -dtls1 -connect localhost:8000 -cipher "ECDHE-ECDSA-AES256-SHA" this works great for authentication + encryption. however if i substitute -cipher "ECDHE-ECDSA-NULL-SHA" to turn off the encryption (keeping the initial authentication and the MAC message integrity) i'm getting errors from s_server and s_client, shown below. i get the same errors with or without -dtls1 (so using TCP instead of UDP). openssl ciphers -V "NULL" shows it should be available if i understand the command correctly (though it is listed as SSLv3 and not TLSv1.2 ?) 0xC0,0x06 - ECDHE-ECDSA-NULL-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=None Mac=SHA1 thanks for any assistance. n@ ------ OpenSSL> s_server -accept 8000 -cert ./ecdsa_cert.pem -key ecdsa_key.pem -cipher ECDHE_ECDSA_NULL_SHA Using default temp DH parameters Using default temp ECDH parameters error setting cipher list 140735236031328:error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:ssl_lib.c:1314: error in s_server -------- OpenSSL> s_client -dtls1 -connect localhost:8000 -cipher "ECDHE-ECDSA-NULL-SHA" CONNECTED(00000003) write:errno=61 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE SSL-Session: Protocol : DTLSv1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1413995353 Timeout : 7200 (sec) Verify return code: 0 (ok) --- error in s_client