On 2/3/19 3:31 PM, Kurt Roeckx wrote:
> Note that by default that doesn't work.
Thanks! I was not aware of OpenSSL's security level concept, the
@SECLEVEL=0 syntax in a cipher string, the -s option to ciphers, or the
concept of an unusable cipher. That was a lot of good information packed
into
On Sun, Feb 03, 2019 at 03:15:55PM -0600, Richard Laager via devel wrote:
> On 2/3/19 1:01 PM, Eric S. Raymond wrote:
> > I guess it will have to be an empty string that disables encryption.
>
> I'm not sure if you wrote this before the recent messages on the NULL
> ciphers. But you said you were
Richard Laager :
> On 2/3/19 1:01 PM, Eric S. Raymond wrote:
> > I guess it will have to be an empty string that disables encryption.
>
> I'm not sure if you wrote this before the recent messages on the NULL
> ciphers. But you said you were going to use that, so...
>
> It's not an empty
On 2/3/19 1:01 PM, Eric S. Raymond wrote:
> I guess it will have to be an empty string that disables encryption.
I'm not sure if you wrote this before the recent messages on the NULL
ciphers. But you said you were going to use that, so...
It's not an empty string... the NULL ciphers have
Richard Laager :
> If "cipher" is for TLS:
OK, that was the idea.
> Rename cipher to ciphers (plural) and add a second one named
> ciphersuites. You'll need two for testing anyway, as OpenSSL takes TLS
> 1.2 and 1.3 cipher specifications separately.
>
> Then those are just done for the final
Achim Gratz via devel :
> Eric S. Raymond via devel writes:
> > Hal Murray :
> >> Please verify with a TLS wizard that you can do what you are describing
> >> with
> >> OpenSSL. I've poked around a bit and don't know how to do that.
>
>
Richard Laager :
> This enclair option will only be useful for very early testing (and can
> then be removed).
OK. It was easy to add and will be easy to remove.
On a related note, the fixed complexity cost of the "crypto" command was
a bit annoying, but now that I've done it...
...the
Eric S. Raymond via devel writes:
> Hal Murray :
>> Please verify with a TLS wizard that you can do what you are describing with
>> OpenSSL. I've poked around a bit and don't know how to do that.
On 2/3/19 8:17 AM, Eric S. Raymond via devel wrote:
> Hal Murray :
>> Please verify with a TLS wizard that you can do what you are describing with
>> OpenSSL. I've poked around a bit and don't know how to do that.
>
> My plan is to brute-force the problem. Rather than trying to beat TLS into
>
Hal Murray :
> Please verify with a TLS wizard that you can do what you are describing with
> OpenSSL. I've poked around a bit and don't know how to do that.
My plan is to brute-force the problem. Rather than trying to beat TLS into
talking en clair, I'll make 'enclair' change the socket-fu so
> The
> "enclair"
> option is intended to disable crypto negotiation so certificates are not
> required and traffic in sent en clair.
Please verify with a TLS wizard that you can do what you are describing with
OpenSSL.
Typo "addresa" -> "address"
numeric address, an IPv6 numeric addresa (in square brackets).
If cipher is for NTP, I think you should rename it to ntpcipher (or
ntpciphers). Or just drop it, since you're almost certainly only going
to implement AES-SIV-CMAC for first ship. (And possibly that'll
I have implemented and fully documented a new 'crypto' configuration
with options mintls, maxtls, and enclair. They set globals in
ntpd/nts.c.
The mintls and maxtls options are as discussed on this list. The
"enclair" option is intended to disable crypto negotiation so
certificates are not
13 matches
Mail list logo
