hi, thanks for the info victor.
played with the openssl command line utility using the s_client & s_server being configured to use eNULL with only NULL_SHA , NULL_MD5. The other ciphers of eNULL are disabled. I could see the client sending the above ciphers and the server selecting NULL_SHA. Whatever i type at the server i could see that message in the client terminal. hence i assume the exchange between client & server does happen. I have two queries: 1) When i use my own applications (client & server) which uses the openssl library a separate client program and a separate server program,both configured to use only eNULL as above. (ie with only NULL_SHA & NULL_MD5), i am seeing a error at the server application saying: Error in GET_CLIENT_HELLO_MSG: No shared ciphers: in s_srvr.c ..... I feel there is something missing in my client & server applications compared to the openssl client & server programs. Unable to understand what the error message is saying .. i was expecting that since both my client & server have the common ciphers - NULL_SHA & NULL_MD5, one of them to get selected and the handshake should get completed.... can somebody tell what the error messages convey in my application. 2) Getting back to the client & server programs supplied along with the openssl package. When eNULL was configured as mentioned above, ran the wireshark packet capture utility. typed " hello world" at the server and the "hello world" was reflected in the client. Was expecting "hello world" to be seen in clear text because NULL encryption is used. But in wireshark i could not see anything in clear text .. Atleast i could not see "hello world" in the application data section of wireshark. Rightly application data was after the client hello exchange messages sent by the ssl protocol. wondering why clear text message was not seen .... does any form of encoding is used by the client & server.?? Thanks. have a nice day, navin ________________________________ From: Victor Duchovni <victor.ducho...@morganstanley.com> To: "openssl-users@openssl.org" <openssl-users@openssl.org> Sent: Wednesday, 27 July 2011, 20:20 Subject: Re: testing null encryption On Wed, Jul 27, 2011 at 02:53:09AM -0700, navin gopalakrishnan wrote: > a) testing NULL Encryption: > > While building openssl i modified the macro SSL_DEFAULT_CIPHER_LIST to > #define SSL_DEFAULT_CIPHER_LIST "eNULL" That was unwise, don't do that. > My understanding is the above modification? would provide only data > authentication with NO encryption. Or possibly neither: $ openssl ciphers -v eNULL ECDHE-RSA-NULL-SHA SSLv3 Kx=ECDH Au=RSA Enc=None Mac=SHA1 ECDHE-ECDSA-NULL-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=None Mac=SHA1 AECDH-NULL-SHA SSLv3 Kx=ECDH Au=None Enc=None Mac=SHA1 ECDH-RSA-NULL-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=None Mac=SHA1 ECDH-ECDSA-NULL-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=None Mac=SHA1 NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1 NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5 as you can see above, the AECDH-NULL-SHA cipher provides neither authentication nor encryption, just message integrity over an anonymous channel. > Is there a way to check this by running any test programs. You should not change the DEFAULT cipher list. Rather, applications can be configured with appropriate ciphers at run-time. The ciphers(1) utility, by default lists the DEFAULT ciphers. $ openssl ciphers $ openssl ciphers -v > b) build openssl with no compression/decompression support in openssl.? You could read the "INSTALL" document that is included with the source code. > While building openssl passed "no-zlib" option in the configure script and > build went fine. This is documented to do what you requested. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
