Can Openssl still use a null cipher?
65 views
Skip to first unread message
Bryan Henderson
Feb 25, 2025, 1:49:02 PM2/25/25
to openssl-users
I used to use the openssl program to demonstrate a client/server connection with no certificates (openssl s_server -nocert), using
$ openssl s_client -cipher AECDH-NULL-SHA ...
on the client side.
After a software upgrade, -trace indicates that the cipher suites the client actually proposes are TLS_AES_256_GCM_SHA384, TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, and TLS_EMPTY_RENEGOTIATION_INFO_SCSV and the handshake fails with no shared cipher.
Why does Openssl ignore my cipher request, and is there any other way to do a certificate-free connection?
Michael Wojcik
Feb 25, 2025, 1:55:46 PM2/25/25
to openssl-users
> From: openss...@openssl.org <openss...@openssl.org> On Behalf Of Bryan Henderson
> Sent: Tuesday, 25 February, 2025 11:49
> I used to use the openssl program to demonstrate a client/server connection with no
> certificates (openssl s_server -nocert), using
> $ openssl s_client -cipher AECDH-NULL-SHA ...
> on the client side.
Try "@SECLEVEL=0,AECDH-NULL-SHA" with the cipher list. A quick check with "openssl ciphers" (OpenSSL 3.0.8) suggests that should do what you want.
--
Michael Wojcik
================================
Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ Main Office Toll Free Number: +1 855.577.4323
Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport
Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences
Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy
================================
This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you.
> Sent: Tuesday, 25 February, 2025 11:49
> I used to use the openssl program to demonstrate a client/server connection with no
> certificates (openssl s_server -nocert), using
> $ openssl s_client -cipher AECDH-NULL-SHA ...
> on the client side.
--
Michael Wojcik
================================
Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ Main Office Toll Free Number: +1 855.577.4323
Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport
Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences
Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy
================================
This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you.
Viktor Dukhovni
Feb 25, 2025, 9:54:16 PM2/25/25
to openss...@openssl.org
On Tue, Feb 25, 2025 at 10:49:02AM -0800, Bryan Henderson wrote:
> I used to use the *openssl* program to demonstrate a client/server
> connection with no certificates (*openssl s_server -nocert*), using
For that you need "aNULL" ciphers (no authentication), not "eNULL"
ciphers (no encryption).
> *$ openssl s_client -cipher AECDH-NULL-SHA ...*
That is one is both:
$ openssl ciphers -s -tls1_2 -v aNULL+eNULL:@SECLEVEL=0
AECDH-NULL-SHA TLSv1 Kx=ECDH Au=None Enc=None Mac=SHA1
There are a few more, but none that work with TLS 1.3, because that
protocol version does not currently support any "aNULL" or "eNULL"
ciphers, and the TLS WG is not very receptive to having these
introduced. :-(
If you only want to turn off certificates, but encryption is OK as is
TLS <= 1.2, then your choice is broader:
$ openssl ciphers -s -tls1_2 -v aNULL:@SECLEVEL=0
ADH-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=None Enc=AESGCM(256) Mac=AEAD
ADH-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=None Enc=AESGCM(128) Mac=AEAD
ADH-AES256-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(256) Mac=SHA256
ADH-CAMELLIA256-SHA256 TLSv1.2 Kx=DH Au=None Enc=Camellia(256) Mac=SHA256
ADH-AES128-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(128) Mac=SHA256
ADH-CAMELLIA128-SHA256 TLSv1.2 Kx=DH Au=None Enc=Camellia(128) Mac=SHA256
AECDH-AES256-SHA TLSv1 Kx=ECDH Au=None Enc=AES(256) Mac=SHA1
ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
ADH-CAMELLIA256-SHA SSLv3 Kx=DH Au=None Enc=Camellia(256) Mac=SHA1
AECDH-AES128-SHA TLSv1 Kx=ECDH Au=None Enc=AES(128) Mac=SHA1
ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1
ADH-CAMELLIA128-SHA SSLv3 Kx=DH Au=None Enc=Camellia(128) Mac=SHA1
AECDH-NULL-SHA TLSv1 Kx=ECDH Au=None Enc=None Mac=SHA1
> Why does Openssl ignore my cipher request, and is there any other way to do
> a certificate-free connection?
You need to set a ceiling on the protocol version:
-max_protocol TLSv1.2
For example:
$ openssl s_client -max_protocol TLSv1.2 -connect 127.0.0.1:25 -starttls smtp \
-cipher aNULL+kECDHE:@SECLEVEL=0 -brief
Connecting to 127.0.0.1
Can't use SSL_get_servername
CONNECTION ESTABLISHED
Protocol version: TLSv1.2
Ciphersuite: AECDH-AES256-SHA
No peer certificate or raw public key
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Peer Temp Key: X25519, 253 bits
250 CHUNKING
quit
221 2.0.0 Bye
[ There are sadly no code points for TLS 1.2 ciphers that combine aNULL
with ECHDHE and an AEAD. I think the stronger key agreement is more
compelling. ]
And without the protocol ceiling (and RPK + DANE just for the fun of it,
just so the connection is verified, but not otherwise relevant) I get
TLS 1.3:
$ openssl s_client -connect 127.0.0.1:25 -starttls smtp -cipher aNULL:@SECLEVEL=0 -brief \
-enable_server_rpk \
-dane_tlsa_domain=example.com \
-dane_tlsa_rrdata="3 1 1 c0b67b03dab597a5d8b743e709ae080d7d3e509a7bab0a0288d8987feaeae803"
Connecting to 127.0.0.1
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_256_GCM_SHA384
Peer used raw public key
Signature type: mldsa65
Verification: OK
DANE TLSA 3 1 1 ...7bab0a0288d8987feaeae803 matched the peer raw public key
Negotiated TLS1.3 group: X25519MLKEM768
250 CHUNKING
quit
221 2.0.0 Bye
--
Viktor.
> I used to use the *openssl* program to demonstrate a client/server
> connection with no certificates (*openssl s_server -nocert*), using
For that you need "aNULL" ciphers (no authentication), not "eNULL"
ciphers (no encryption).
> *$ openssl s_client -cipher AECDH-NULL-SHA ...*
That is one is both:
$ openssl ciphers -s -tls1_2 -v aNULL+eNULL:@SECLEVEL=0
AECDH-NULL-SHA TLSv1 Kx=ECDH Au=None Enc=None Mac=SHA1
There are a few more, but none that work with TLS 1.3, because that
protocol version does not currently support any "aNULL" or "eNULL"
ciphers, and the TLS WG is not very receptive to having these
introduced. :-(
If you only want to turn off certificates, but encryption is OK as is
TLS <= 1.2, then your choice is broader:
$ openssl ciphers -s -tls1_2 -v aNULL:@SECLEVEL=0
ADH-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=None Enc=AESGCM(256) Mac=AEAD
ADH-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=None Enc=AESGCM(128) Mac=AEAD
ADH-AES256-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(256) Mac=SHA256
ADH-CAMELLIA256-SHA256 TLSv1.2 Kx=DH Au=None Enc=Camellia(256) Mac=SHA256
ADH-AES128-SHA256 TLSv1.2 Kx=DH Au=None Enc=AES(128) Mac=SHA256
ADH-CAMELLIA128-SHA256 TLSv1.2 Kx=DH Au=None Enc=Camellia(128) Mac=SHA256
AECDH-AES256-SHA TLSv1 Kx=ECDH Au=None Enc=AES(256) Mac=SHA1
ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
ADH-CAMELLIA256-SHA SSLv3 Kx=DH Au=None Enc=Camellia(256) Mac=SHA1
AECDH-AES128-SHA TLSv1 Kx=ECDH Au=None Enc=AES(128) Mac=SHA1
ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1
ADH-CAMELLIA128-SHA SSLv3 Kx=DH Au=None Enc=Camellia(128) Mac=SHA1
AECDH-NULL-SHA TLSv1 Kx=ECDH Au=None Enc=None Mac=SHA1
> Why does Openssl ignore my cipher request, and is there any other way to do
> a certificate-free connection?
-max_protocol TLSv1.2
For example:
$ openssl s_client -max_protocol TLSv1.2 -connect 127.0.0.1:25 -starttls smtp \
-cipher aNULL+kECDHE:@SECLEVEL=0 -brief
Connecting to 127.0.0.1
Can't use SSL_get_servername
CONNECTION ESTABLISHED
Protocol version: TLSv1.2
Ciphersuite: AECDH-AES256-SHA
No peer certificate or raw public key
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Peer Temp Key: X25519, 253 bits
250 CHUNKING
quit
221 2.0.0 Bye
[ There are sadly no code points for TLS 1.2 ciphers that combine aNULL
with ECHDHE and an AEAD. I think the stronger key agreement is more
compelling. ]
And without the protocol ceiling (and RPK + DANE just for the fun of it,
just so the connection is verified, but not otherwise relevant) I get
TLS 1.3:
$ openssl s_client -connect 127.0.0.1:25 -starttls smtp -cipher aNULL:@SECLEVEL=0 -brief \
-enable_server_rpk \
-dane_tlsa_domain=example.com \
-dane_tlsa_rrdata="3 1 1 c0b67b03dab597a5d8b743e709ae080d7d3e509a7bab0a0288d8987feaeae803"
Connecting to 127.0.0.1
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_256_GCM_SHA384
Peer used raw public key
Signature type: mldsa65
Verification: OK
DANE TLSA 3 1 1 ...7bab0a0288d8987feaeae803 matched the peer raw public key
Negotiated TLS1.3 group: X25519MLKEM768
250 CHUNKING
quit
221 2.0.0 Bye
--
Viktor.
Bryan Henderson
Feb 25, 2025, 11:12:57 PM2/25/25
to openssl-users, openss...@openssl.org
Thanks! My problem is solved. Adding @SECLEVEL=0 to the cipher string on both sides made it work.
It's a pity the program/library couldn't warn me that the only cipher suite I requested was incompatible with my security level (which I didn't even know existed).
>You need to set a ceiling on the protocol version:
>
>-max_protocol TLSv1.2
>
>-max_protocol TLSv1.2
Apparently not. When I do it, it always uses TLS v1.2. I tried forcing it to v1.3 with a -tls1_3 option on the client side as an experiment, but that failed with error text containing the text "protocol version". -tls1_3 on the server side didn't seem to make any difference.
The suggestion does make sense though; maybe the server is smart enough to know it doesn't have a chance of using 1.3 because it doesn't have any certificates and all 1.3-compatible ciphers use certificates and therefore insists on 1.2?
Viktor Dukhovni
Feb 25, 2025, 11:41:18 PM2/25/25
to openss...@openssl.org
On Tue, Feb 25, 2025 at 08:12:57PM -0800, Bryan Henderson wrote:
> Thanks! My problem is solved. Adding @SECLEVEL=0 to the cipher string on
> both sides made it work.
>
> It's a pity the program/library couldn't warn me that the only cipher suite
> I requested was incompatible with my security level (which I didn't even
> know existed).
Experience is what you get when you don't get what you want...
> Thanks! My problem is solved. Adding @SECLEVEL=0 to the cipher string on
> both sides made it work.
>
> It's a pity the program/library couldn't warn me that the only cipher suite
> I requested was incompatible with my security level (which I didn't even
> know existed).
> > You need to set a ceiling on the protocol version:
> > -max_protocol TLSv1.2
>
> Apparently not.
your's included, the server may be configured to do at most TLS 1.2,
and yes, in that case, the client-side ceiling is optional.
In particular, if you *do* set the protocol cap, *then* you get the
missing ciphers warning you wanted.
$ openssl s_client -max_protocol TLSv1.2 -connect 127.0.0.1:25 -starttls smtp -cipher aNULL+kECDHE -brief
Connecting to 127.0.0.1
806BAB3BB57F0000:error:0A0000B5:SSL routines:ssl_cipher_list_to_bytes:no ciphers available:ssl/statem/statem_clnt.c:4156:No ciphers enabled for max supported SSL/TLS version
While, otherwise, you may get a TLS 1.3 connection:
$ openssl s_client -connect 127.0.0.1:25 -starttls smtp -cipher aNULL+kECDHE -brief
Connecting to 127.0.0.1
Can't use SSL_get_servername
depth=0 CN=...
Can't use SSL_get_servername
verify error:num=18:self-signed certificate
CONNECTION ESTABLISHED
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_256_GCM_SHA384
Peer certificate: CN=...
Protocol version: TLSv1.3
Ciphersuite: TLS_AES_256_GCM_SHA384
Hash used: UNDEF
Signature type: mldsa65
Verification error: self-signed certificate
Reply all
Reply to author
Forward
0 new messages