Thanks Rich. More newbie questions.
Looking at the available ciphers I see this:
>./openssl ciphers -v 'ALL:aNULL' |grep ECDH |grep "Au=None"
AECDH-AES256-SHA SSLv3 Kx=ECDH Au=None Enc=AES(256) Mac=SHA1
AECDH-AES128-SHA SSLv3 Kx=ECDH Au=None Enc=AES(128) Mac=SHA1
AECDH-RC4-SHA SSLv3 Kx=ECDH Au=None Enc=RC4(128) Mac=SHA1
AECDH-DES-CBC3-SHA SSLv3 Kx=ECDH Au=None Enc=3DES(168) Mac=SHA1
AECDH-NULL-SHA SSLv3 Kx=ECDH Au=None Enc=None Mac=SHA1
1) What arg to SSL_CTX_set_cipher_list() to I need to use to get these?
I previously tried "kEECDH:kEDH" and that didn't work.
2) These ciphers all report as SSLv3. Do I have to use SSLv3
client/server methods to get access to these ciphers? I was using TLS
1.2 (TLSv1_2_server_method()) methods.
Norm Green
On 5/24/16 10:08, Salz, Rich wrote:
1) The wiki says don't use ADH, presumably because ADH provides
encryption but not authentication and is exposed to man in the middle
attacks. Is that the only reason?
Use ECDH, it's less expensive computationally.
2) Are the same encryption keys used every time with ADH?
Yes. That's the other BIG reason :) You really want ephemeral, and therefore
ECDH
3) Is it possible to use ephemeral DH without using certificates? I was not
able to get that to work.
Yes. This is "null" auth.
4) What is the best practice for establishing an anonymous encrypted
channel using OpenSSL?
Postfix does this kind of thing, as does other SMTP software. Look around for
'opportunistic encryption' perhaps.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
