How to enable null cipher in openssl library build config?
Vishal Rao
I am trying to have eNULL (null cipher) enabled while compiling
openssl from source.
I've tried with 0.9.8g source and providing the enable-<cipher> option to the
configure script with no luck.
I've tried combinations like enable-null, enable-eNULL,
enable-null-md5, etc with
(I believe) all uppercase/lowercase combinations.
I finally just edited SSL_DEFAULT_CIPHER_LIST in ssl.h to get it working
for me.
Is there a more correct/direct way to get this enabled? What would be the
correct configure/build options to enable the null cipher while compiling?
Thanks,
Vishal
--
"Thou shalt not follow the null pointer for at its end madness and chaos lie."
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openss...@openssl.org
Automated List Manager majo...@openssl.org
Victor Duchovni
> Hello openssl-users,
>
> I am trying to have eNULL (null cipher) enabled while compiling
> openssl from source.
It is always enabled, no special compilation flags required.
> I finally just edited SSL_DEFAULT_CIPHER_LIST in ssl.h to get it working
> for me.
>
> Is there a more correct/direct way to get this enabled? What would be the
> correct configure/build options to enable the null cipher while compiling?
Applications have to enable NULL ciphers explicitly at runtime. Do not
recompile with a broken DEFAULT cipher list, just configure applications
that know what they are doing to use NULL ciphers by specifying a
suitable cipherlist.
--
Viktor.
Vishal Rao
<Victor....@morganstanley.com> wrote:
> It is always enabled, no special compilation flags required.
>
> recompile with a broken DEFAULT cipher list, just configure applications
> that know what they are doing to use NULL ciphers by specifying a
> suitable cipherlist.
Which version of OpenSSL are you talking about? An older one than
0.9.8g or the latest?
The one I tried (098g) the READMEs say "its disabled by default" and needs to be
enabled via a configuration flag while compiling it.
I'm using the ACE toolkit's ACE_SSL module (for SSL sockets support) which
depends on OpenSSL and it only "seems to work" when I do this manual
source edit.
I don't see any API/option in ACE_SSL to "enable NULL cipher" and the fact that
it "starts working" for me when I just rebuild the OpenSSL library
with my change
leads me to ask this question.
Any tips on how I might peek under the hood to see what ACE_SSL is doing that
does not work unless I change the OpenSSL build?
- Vishal
Dr. Stephen Henson
> On 18 March 2010 10:09, Victor Duchovni
> <Victor....@morganstanley.com> wrote:
> > It is always enabled, no special compilation flags required.
> >
> > Applications have to enable NULL ciphers explicitly at runtime. Do not
> > recompile with a broken DEFAULT cipher list, just configure applications
> > that know what they are doing to use NULL ciphers by specifying a
> > suitable cipherlist.
>
> Which version of OpenSSL are you talking about? An older one than
> 0.9.8g or the latest?
>
> The one I tried (098g) the READMEs say "its disabled by default" and needs to be
> enabled via a configuration flag while compiling it.
>
> I'm using the ACE toolkit's ACE_SSL module (for SSL sockets support) which
> depends on OpenSSL and it only "seems to work" when I do this manual
> source edit.
>
> I don't see any API/option in ACE_SSL to "enable NULL cipher" and the fact that
> it "starts working" for me when I just rebuild the OpenSSL library
> with my change
> leads me to ask this question.
>
There was an option which was required long ago.
> Any tips on how I might peek under the hood to see what ACE_SSL is doing that
> does not work unless I change the OpenSSL build?
>
The application needs a runtime configuration option to set an alternative
cipherlist. The functions SSL_CTX_set_cipher_list() and SSL_set_cipher_list()
do this.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org