On Tue, May 24, 2016 at 05:45:56PM +0000, Salz, Rich wrote:
> > >./openssl ciphers -v 'ALL:aNULL' |grep ECDH |grep "Au=None"
> > AECDH-AES256-SHA SSLv3 Kx=ECDH Au=None Enc=AES(256) Mac=SHA1
> > AECDH-AES128-SHA SSLv3 Kx=ECDH Au=None Enc=AES(128) Mac=SHA1
> > AECDH-RC4-SHA SSLv3 Kx=ECDH Au=None Enc=RC4(128) Mac=SHA1
> > AECDH-DES-CBC3-SHA SSLv3 Kx=ECDH Au=None Enc=3DES(168) Mac=SHA1
> > AECDH-NULL-SHA SSLv3 Kx=ECDH Au=None Enc=None Mac=SHA1
> >
> > 1) What arg to SSL_CTX_set_cipher_list() to I need to use to get these?
> > I previously tried "kEECDH:kEDH" and that didn't work.
>
> Use one of the names in the first column.
No. To avoid overly-specific settings:
# To insist on anon ciphersuites:
OpenSSL 1.0.x: ALL+aNULL
OpenSSL 1.1.x: ALL+aNULL:@SECLEVEL=0
# To prefer anon ciphersuites:
OpenSSL 1.0.x: aNULL:-aNULL:ALL
OpenSSL 1.1.x: aNULL:-aNULL:ALL:@SECLEVEL=0
# To tolerate anon ciphersuites without explicit preference:
OpenSSL 1.0.x: ALL
OpenSSL 1.1.x: ALL:@SECLEVEL=0
In OpenSSL 1.1.0 I wanted to implement @AUTHLEVEL, to support
@SECLEVEL=1 for ciphers, while allowing anon auth, but that did
not make it into the code early enough:
ssl/ssl_cert.c:
/*
* XXX: Separate @AUTHSECLEVEL and @TLSSECLEVEL would be useful at some
* point, for now a single @SECLEVEL sets the same policy for TLS crypto
* and PKI authentication.
*/
X509_VERIFY_PARAM_set_auth_level(param, SSL_get_security_level(s));
That is perhaps still technically possible for 1.1.0, but almost
certainly too late, it is not a bug fix, and we're near the final
release. I'd like to add that for the next release.
--
Viktor.
