Re: How to use ADH with OpenSSL 1.1.0

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>> Then I tried adding :@SECLEVEL=0 to my cipher suite list. That made the trick, but as far as I understand, it switches off some other cipher checks. What's the recommended way of allowing ADH?

>For now just @SECLEVEL=0.  There's not yet a more fine-grained to set the security 
>level for crypto parameters but allow certificate-less key exchange.  If you're willing
>to allow MiTM attacks, then downgrades are of scope, and the peers will negotiate
>the best available ciphers, so @SECLEVEL=0 is probably fine, you'll still get strong ciphers.
>You can also limit the cipher list to exclude anything you feel is too weak to offer.

Since we never allow unauthenticated cipher suites in production configurations, it's actually not a problem with the @SECLEVEL solution for those test systems where we do use ADH. Glad that I don't have to use a modified callback.
Thanks a lot, Per

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux