|
Hello,
I have a question based on the response provided to me:
My question is why following openssl commands (version 1.1.1f) return those TLSv1.3 ciphers as offering no authentication and no encryption?
C:\OpenText\iHub20.4-29324643-250C200831\ihub\modules\BIRTiHub\iHub\bin>openssl ciphers -v -s NULL
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
C:\OpenText\iHub20.4-29324643-250C200831\ihub\modules\BIRTiHub\iHub\bin>openssl ciphers -v -s eNULL
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256 TLSv1.3 Kx=any Au=any Enc=AESGCM(128) Mac=AEAD
C:\OpenText\iHub20.4-29324643-250C200831\ihub\modules\BIRTiHub\iHub\bin>openssl ciphers -v -s aNULL
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD
From: Yury Mazin <ymazin@xxxxxxxxxxxx>
Sent: Friday, September 4, 2020 12:43 PM To: openssl-users@xxxxxxxxxxx <openssl-users@xxxxxxxxxxx> Subject: Re: [EXTERNAL] - Re: Question about TLS 1.3 and openssl -cipher aNULL option
Viktor,
Thank you for clarifying it.
Yury
From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> on behalf of Viktor Dukhovni <openssl-users@xxxxxxxxxxxx>
Sent: Friday, September 4, 2020 12:10 PM To: openssl-users@xxxxxxxxxxx <openssl-users@xxxxxxxxxxx> Subject: Re: [EXTERNAL] - Re: Question about TLS 1.3 and openssl -cipher aNULL option On Fri, Sep 04, 2020 at 07:00:01PM +0000, Yury Mazin via openssl-users wrote:
> Thank you Benjamin, > > According to OpenSSL , aNULL stands for no-authentication. Specifically, SSL 3.0 through TLS 1.2 ciphers in which the server and client exchange no certificates, and the TLS handshake consists largely of an unsigned anonymous ephemeral DH or ECDH key exchang. TLS 1.3 dropped support for anonymous DH and ECDH. Server certificates are *required. And the all-in-one ciphersuites of TLS <= 1.2, are replaced with separately negotiated components. As a result of which, in OpenSSL 1.1.1 and later, they are controlled via a different set of APIs and command-line options. Specifically, in your case, the "-ciphers aNULL" option only applies to TLS <= 1.2 > Does it mean that all 3 default protocols of TLS 1.3 offer no > authentication No. None of them "support no authentication" (which is not even strictly true, it is the protocol that does not support "no authentication", the TLS 1.3 ciphers are simply silent re certificate algorithm selection), but the "-cipher aNULL" is simply not used when TLS 1.3 is negotiated, so your question is makes incorrect assumptions to reach its tentative conclusions. -- Viktor. |
