On Thu, Aug 13, 2020 at 08:19:10PM +0200, Detlef Vollmann wrote: > Hello, > > with the following commands: > > openssl s_server -accept 18010 -cert srv.crt -key test.key \ > -CAfile testca.crt -debug -cipher 'NULL-SHA256' -dtls1_2 > > openssl s_client -connect localhost:18010 -cert clnt.crt \ > -key test.key -CAfile testca.crt -debug \ > -cipher 'COMPLEMENTOFALL:eNULL' -dtls1_2 > > NULL ciphers work fine with OpenSSL 1.0.2g. > > With OpenSSL 1.1.1g the handshake fails on the server side with > 140295725053248:error:14102438:SSL routines:dtls1_read_bytes:tlsv1 \ > alert internal error:../ssl/record/rec_layer_d1.c:611:SSL alert number \ > 80 > > Even on OpenSSL 1.1.1g 'openssl ciphers -v NULL' lists NULL-SHA256. > > I'm only using s_server and s_client as tests, but I have the same > problem in my application if I use > SSL_CTX_set_cipher_list(sslCtx, "NULL-SHA256"); > > What can I do to get NULL ciphers for no encryption working? -cipher 'COMPLEMENTOFALL:eNULL@SECLEVEL=0'
