Re: [openssl-users] How to use ADH with OpenSSL 1.1.0
> On Apr 12, 2018, at 7:12 AM, Frykenvall, Perwrote: > > Then I tried adding :@SECLEVEL=0 to my cipher suite list. That made the > trick, but as far as I understand, it switches off some other cipher checks. > What's the recommended way of allowing ADH? For now just @SECLEVEL=0. There's not yet a more fine-grained to set the security level for crypto parameters but allow certificate-less key exchange. If you're willing to allow MiTM attacks, then downgrades are of scope, and the peers will negotiate the best available ciphers, so @SECLEVEL=0 is probably fine, you'll still get strong ciphers. You can also limit the cipher list to exclude anything you feel is too weak to offer. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] How to use ADH with OpenSSL 1.1.0
Hi, I need to permit some anonymous Diffie-Hellman ciphers in OpenSSL. This worked fine until I installed 1.1.0h when I get "no shared cipher". I debugged and found the cause in ssl_security_default_callback, ssl_cert.c line 1028: /* No unauthenticated ciphersuites */ if (c->algorithm_auth & SSL_aNULL) return 0; So do I need to have my own callback, using SSL_CTX_set_security_callback? The manual page is not very informative and I'm not sure about how to implement the callback. I wouldn't like to duplicate all the other checks of the default callback. Then I tried adding :@SECLEVEL=0 to my cipher suite list. That made the trick, but as far as I understand, it switches off some other cipher checks. What's the recommended way of allowing ADH? Best regards, Per -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Open ssl error "hex string is too long invalid hex key value"
On 12/04/18 07:05, shagun maheshwari wrote: > Hi, > > We are getting an error "OpenSSL error hex string is too long invalid hex key > value" . OpenSSL version we are using is openssl-1.0.2k-8.el7. We have solved > this issue by applying a patch in openssl package suggested by openssl > community > (https://clicktime.symantec.com/a/1/7Fg4lSHbjGfkPSCbaHTn0_5SA3g7jIxY1-VykXIdKu0=?d=xVjLv3Egby2iJQ8Pps44kijPDpVNeq--5cgHmJMSt7fSfApR2--2rIk1xvvBJSwGIglcjn61v6-JXGiiMB8XDbwUXh0ZdrcNxdLZpZ4iydtMyQvgDDeJdBqNF31hW_gGSt77P5_qmJ2yJH6Z5ycJqZO-sUXRgdvObuqYlAKoqdLqFCSzKnR5BTUYw7C8JvfSp3kLE-Zbr3DSGCEz0KwUBfdYWjeH8n10a4bsKfA8cgMmRr6o9pBR66fciTOnTNJISKm5XTy6SWr9xlsKxJccrczY4TsEDL7AncqGJMaEHWBzFyRbsGWpZmsedW0xIJg0cDSkXGt4xJ3lTN26_iL2qBwfAOarzDrtJ2uQtfOgoszexm-ICb8y8VY23Y7xlvo-6awGNFuZX8xKABbpaB9Q=https%3A%2F%2Fmta.openssl.org%2Fpipermail%2Fopenssl-dev%2F2016-May%2F007266.html). > > > In nwhich release of OpenSSL, we can expect this fix? > The thread you point to doesn't describe a bug in 1.0.2. The command line provided to OpenSSL in that thread is in error. The hex string provided for the key is too long (by 2 bytes) so OpenSSL is doing the right thing by issuing an error message. It seems that this was tolerated in older versions of OpenSSL (1.0.1) - but that behaviour can probably be considered a bug in those older (out of support) versions. Matt -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Open ssl error "hex string is too long invalid hex key value"
Hi, We are getting an error "OpenSSL error hex string is too long invalid hex key value" . OpenSSL version we are using is openssl-1.0.2k-8.el7. We have solved this issue by applying a patch in openssl package suggested by openssl community (https://clicktime.symantec.com/a/1/7Fg4lSHbjGfkPSCbaHTn0_5SA3g7jIxY1-VykXIdKu0=?d=xVjLv3Egby2iJQ8Pps44kijPDpVNeq--5cgHmJMSt7fSfApR2--2rIk1xvvBJSwGIglcjn61v6-JXGiiMB8XDbwUXh0ZdrcNxdLZpZ4iydtMyQvgDDeJdBqNF31hW_gGSt77P5_qmJ2yJH6Z5ycJqZO-sUXRgdvObuqYlAKoqdLqFCSzKnR5BTUYw7C8JvfSp3kLE-Zbr3DSGCEz0KwUBfdYWjeH8n10a4bsKfA8cgMmRr6o9pBR66fciTOnTNJISKm5XTy6SWr9xlsKxJccrczY4TsEDL7AncqGJMaEHWBzFyRbsGWpZmsedW0xIJg0cDSkXGt4xJ3lTN26_iL2qBwfAOarzDrtJ2uQtfOgoszexm-ICb8y8VY23Y7xlvo-6awGNFuZX8xKABbpaB9Q=https%3A%2F%2Fmta.openssl.org%2Fpipermail%2Fopenssl-dev%2F2016-May%2F007266.html). In nwhich release of OpenSSL, we can expect this fix? Please help. Regards, Shagun -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users