Re: Question about TLS 1.3 and openssl -cipher aNULL option

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Sep 03, 2020 at 11:45:28PM +0000, Yury Mazin via openssl-users wrote:

> We have a server was originaly using OpenSSL 1.0.2h.  Server is
> configured to use SSL ciphers as following:
>
>   ALL:!aNULL:!ADH:!EDH:!eNULL:!EXPORT
>
> When openssl client tries to connect to this server with command
>
>   openssl s_client -connect localhost:8101 -cipher aNULL
>
> it fails, because any aNULL ciphers are not available per server
> configuration.

As expected.

> We have now upgraded server to use OpenSSL 1.1.1f.  The current
> behavior is this:  client can connect using the same command
>
>   openssl s_client -connect localhost:8101 -cipher aNULL
> or
>   openssl s_client -tls1_3 -connect localhost:8101 -cipher aNULL

The "-cipher" command affects only the TLS <= 1.2 a la certe
ciphersuites, but not the TLS 1.3 chinese menu cipher list.

So the TLS 1.3 ciphers remain unaffected and these send
a server certificate that the client ignores.

> while the same connect attempt using TLS1.2 protocol would still fail
> 
>   openssl s_client -tls1_2 -connect localhost:8001 -cipher aNULL

As expected.

> Would the fact that I can connect to the server using TLS 1.3 using
> the following command (specifically, using -cipher aNULL, while server
> is configured to exclude all aNULL cipher suites) considered a
> security violation?

No. This is expected behaviour.

-- 
    Viktor.



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux