I just found the man about setting the security level which is very helpful. May I suggest that a link be added to the 'see also' paragraph of the ciphers documentation ?
>From https://www.openssl.org/docs/manmaster/apps/ciphers.html To https://www.openssl.org/docs/manmaster/ssl/SSL_set_security_level.html > this is a good time to discuss whether @SECLEVEL should have any bearing on aNULL support. Unfortunatly, I have no valuable opinion, but I would be pleased to read about arguments that will be discussed on this list. Thanks again, Michel. -----Message d'origine----- De : openssl-dev [mailto:openssl-dev-boun...@openssl.org] De la part de Viktor Dukhovni Envoyé : lundi 25 janvier 2016 18:48 À : openssl-dev@openssl.org Objet : Re: [openssl-dev] s_client version 1.1 fails to handshake to s_server when -nocert option > On Jan 25, 2016, at 11:36 AM, Michel <michel.sa...@free.fr> wrote: > > Thank you very much for your answer Viktor ! > It works, using : > openssl s_server -nocert -cipher "ALL:@STRENGTH:@SECLEVEL=0" > openssl s_client -cipher "ALL:@STRENGTH:@SECLEVEL=0" > I was able to handshake a "AECDH-AES256-SHA" cipher. > :-) > I will try to investigate deeper around the SECLEVEL=... keyword that I > completely missed. It is a very new feature and easy to miss amidst all other other new features. I am currently working on fixing some corner cases in this very code, so this is a good time to discuss whether @SECLEVEL should have any bearing on aNULL support. My instinct is that it should not, and I'm going to submit code that allows one to set a floor on the various crypto primitives allowed even for aNULL connections (which may be authenticated by other means). -- Viktor. _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
