Re: [EXTERNAL] - Re: Question about TLS 1.3 and openssl -cipher aNULL option

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Viktor,

Thank you for clarifying it.

Yury

From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> on behalf of Viktor Dukhovni <openssl-users@xxxxxxxxxxxx>
Sent: Friday, September 4, 2020 12:10 PM
To: openssl-users@xxxxxxxxxxx <openssl-users@xxxxxxxxxxx>
Subject: Re: [EXTERNAL] - Re: Question about TLS 1.3 and openssl -cipher aNULL option
 
On Fri, Sep 04, 2020 at 07:00:01PM +0000, Yury Mazin via openssl-users wrote:

> Thank you Benjamin,
>
> According to OpenSSL , aNULL stands for no-authentication.

Specifically, SSL 3.0 through TLS 1.2 ciphers in which the server and
client exchange no certificates, and the TLS handshake consists largely
of an unsigned anonymous ephemeral DH or ECDH key exchang.

TLS 1.3 dropped support for anonymous DH and ECDH.  Server certificates
are *required.  And the all-in-one ciphersuites of TLS <= 1.2, are
replaced with separately negotiated components.  As a result of which,
in OpenSSL 1.1.1 and later, they are controlled via a different set of
APIs and command-line options.

Specifically, in your case, the "-ciphers aNULL" option only applies
to TLS <= 1.2

> Does it mean that all 3 default protocols of TLS 1.3 offer no
> authentication

No.  None of them "support no authentication" (which is not even strictly
true, it is the protocol that does not support "no authentication",
the TLS 1.3 ciphers are simply silent re certificate algorithm selection),
but the "-cipher aNULL" is simply not used when TLS 1.3 is negotiated,
so your question is makes incorrect assumptions to reach its tentative
conclusions.

--
    Viktor.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux