Re: Can Openssl still use a null cipher?

Bryan Henderson <bryanh@xxxxxxxxxxxxxxxx> · Tue, 25 Feb 2025 20:12:57 -0800 (PST)

Thanks!  My problem is solved.  Adding @SECLEVEL=0 to the cipher string on both sides made it work.
It's a pity the program/library couldn't warn me that the only cipher suite I requested was incompatible with my security level (which I didn't even know existed).

>You need to set a ceiling on the protocol version:
>
>-max_protocol TLSv1.2

Apparently not.  When I do it, it always uses TLS v1.2.  I tried forcing it to v1.3 with a -tls1_3 option on the client side as an experiment, but that failed with error text containing the text "protocol version".  -tls1_3 on the server side didn't seem to make any difference.

The suggestion does make sense though; maybe the server is smart enough to know it doesn't have a chance of using 1.3 because it doesn't have any certificates and all 1.3-compatible ciphers use certificates and therefore insists on 1.2?

On Wednesday, February 26, 2025 at 2:54:16 AM UTC Viktor Dukhovni wrote:
On Tue, Feb 25, 2025 at 10:49:02AM -0800, Bryan Henderson wrote:

> I used to use the *openssl* program to demonstrate a client/server 

> connection with no certificates (*openssl s_server -nocert*), using

For that you need "aNULL" ciphers (no authentication), not "eNULL"

ciphers (no encryption).

>    *$ openssl s_client -cipher AECDH-NULL-SHA ...*

That is one is both:

    $ openssl ciphers -s -tls1_2 -v aNULL+eNULL:@SECLEVEL=0

    AECDH-NULL-SHA                 TLSv1   Kx=ECDH     Au=None  Enc=None                   Mac=SHA1

There are a few more, but none that work with TLS 1.3, because that

protocol version does not currently support any "aNULL" or "eNULL"

ciphers, and the TLS WG is not very receptive to having these

introduced. :-(

If you only want to turn off certificates, but encryption is OK as is

TLS <= 1.2, then your choice is broader:

    $ openssl ciphers -s -tls1_2 -v aNULL:@SECLEVEL=0

    ADH-AES256-GCM-SHA384          TLSv1.2 Kx=DH       Au=None  Enc=AESGCM(256)            Mac=AEAD

    ADH-AES128-GCM-SHA256          TLSv1.2 Kx=DH       Au=None  Enc=AESGCM(128)            Mac=AEAD

    ADH-AES256-SHA256              TLSv1.2 Kx=DH       Au=None  Enc=AES(256)               Mac=SHA256

    ADH-CAMELLIA256-SHA256         TLSv1.2 Kx=DH       Au=None  Enc=Camellia(256)          Mac=SHA256

    ADH-AES128-SHA256              TLSv1.2 Kx=DH       Au=None  Enc=AES(128)               Mac=SHA256

    ADH-CAMELLIA128-SHA256         TLSv1.2 Kx=DH       Au=None  Enc=Camellia(128)          Mac=SHA256

    AECDH-AES256-SHA               TLSv1   Kx=ECDH     Au=None  Enc=AES(256)               Mac=SHA1

    ADH-AES256-SHA                 SSLv3   Kx=DH       Au=None  Enc=AES(256)               Mac=SHA1

    ADH-CAMELLIA256-SHA            SSLv3   Kx=DH       Au=None  Enc=Camellia(256)          Mac=SHA1

    AECDH-AES128-SHA               TLSv1   Kx=ECDH     Au=None  Enc=AES(128)               Mac=SHA1

    ADH-AES128-SHA                 SSLv3   Kx=DH       Au=None  Enc=AES(128)               Mac=SHA1

    ADH-CAMELLIA128-SHA            SSLv3   Kx=DH       Au=None  Enc=Camellia(128)          Mac=SHA1

    AECDH-NULL-SHA                 TLSv1   Kx=ECDH     Au=None  Enc=None                   Mac=SHA1

> Why does Openssl ignore my cipher request, and is there any other way to do 

> a certificate-free connection?

You need to set a ceiling on the protocol version:

    -max_protocol TLSv1.2

For example:

    $ openssl s_client -max_protocol TLSv1.2 -connect 127.0.0.1:25 -starttls smtp \

        -cipher aNULL+kECDHE:@SECLEVEL=0 -brief

    Connecting to 127.0.0.1

    Can't use SSL_get_servername

    CONNECTION ESTABLISHED

    Protocol version: TLSv1.2

    Ciphersuite: AECDH-AES256-SHA

    No peer certificate or raw public key

    Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2

    Peer Temp Key: X25519, 253 bits

    250 CHUNKING

    quit

    221 2.0.0 Bye

[ There are sadly no code points for TLS 1.2 ciphers that combine aNULL

  with ECHDHE and an AEAD.  I think the stronger key agreement is more

  compelling. ]

And without the protocol ceiling (and RPK + DANE just for the fun of it,

just so the connection is verified, but not otherwise relevant) I get

TLS 1.3:

    $ openssl s_client -connect 127.0.0.1:25 -starttls smtp -cipher aNULL:@SECLEVEL=0 -brief \

        -enable_server_rpk \

        -dane_tlsa_domain=example.com \

        -dane_tlsa_rrdata="3 1 1 c0b67b03dab597a5d8b743e709ae080d7d3e509a7bab0a0288d8987feaeae803"

    Connecting to 127.0.0.1

    CONNECTION ESTABLISHED

    Protocol version: TLSv1.3

    Ciphersuite: TLS_AES_256_GCM_SHA384

    Peer used raw public key

    Signature type: mldsa65

    Verification: OK

    DANE TLSA 3 1 1 ...7bab0a0288d8987feaeae803 matched the peer raw public key

    Negotiated TLS1.3 group: X25519MLKEM768

    250 CHUNKING

    quit

    221 2.0.0 Bye

-- 

    Viktor.

-- 

You received this message because you are subscribed to the Google Groups "openssl-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx.

To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/dc7d7627-3dce-4ffa-a1f1-ceafd013f520n%40openssl.org.