>> Then I tried adding :@SECLEVEL=0 to my cipher suite list. That made the
>> trick, but as far as I understand, it switches off some other cipher checks.
>> What's the recommended way of allowing ADH?
>For now just @SECLEVEL=0. There's not yet a more fine-grained to set the
>security
>level for crypto parameters but allow certificate-less key exchange. If
>you're willing
>to allow MiTM attacks, then downgrades are of scope, and the peers will
>negotiate
>the best available ciphers, so @SECLEVEL=0 is probably fine, you'll still get
>strong ciphers.
>You can also limit the cipher list to exclude anything you feel is too weak to
>offer.
Since we never allow unauthenticated cipher suites in production
configurations, it's actually not a problem with the @SECLEVEL solution for
those test systems where we do use ADH. Glad that I don't have to use a
modified callback.
Thanks a lot, Per
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users