Marek Marcola wrote:
Hello,
Hi, this might sound like an odd question, but I'm trying to figure
out if there's a way to "use" openssl without actually encrypting
anything.
Of course, SSL/TLS consists of three purposes:
- peer authentication (where, for example, RSA is used)
- data encryption (DES, AES ...)
- data integrity (SHA1, MD5)
We have a group of users here who wish to send email through
Thunderbird to a SMTP server (sendmail) that requires SSL/TLS
authentication/encryption. The complaint is that it takes too long for
Thunderbird to encrypt large attachments when sending email.
Email content security isn't a major concern in our situation but we
do want to keep the SSL/TLS authentication in order to prevent
others outside the group from relaying through the SMTP server.
Sendmail depends on openssl for the SSL/TLS portion, so I'm
trying to figure out if there's a way we can modify the SMTP server
to not attempt or require encryption from the email clients while
leaving the basic structure (sendmail/openssl) in place. Maybe set
the encryption strength to zero bits or something similar? I'm not
too openssl savvy, so any details would be greatly appreciated.
If you want to not encrypt your data, but you want to have
client authentication (with RSA key) you may use eNULL cipher:
$ openssl ciphers -v eNULL
NULL-SHA SSLv3 Kx=RSA Au=RSA Enc=None Mac=SHA1
NULL-MD5 SSLv3 Kx=RSA Au=RSA Enc=None Mac=MD5
this means that if server wants to verify client authentication
than RSA key will be used, after proper authentication
data transfered between peers will be no encrypted (Enc=Null)
but data integrity will be checked/preserved (Mac=SHA1,MD5)
which means that modification of this data will by third party
will be detected and in such case SSL tunnel will be disconnected
(and peers notified).
In this situation, key_material will be generated but only
keys for data integrity (HMAC for TSL1 for example) will be used.
Best regards,
Thanks for the info Marek, much appreciated. I used the above info
and it worked for reducing the key strength, but it didn't solve the delays
in sending email. Still good to know though since it's one less thing to
consider. Must be something else that's causing the long delays. Even
for short emails such as this, it takes an extra 45 seconds or so compared
to sending the email with SSL/TLS completely disabled. Maybe it's the
certificate verification step that's causing the Thunderbird delays. The
CA and the certificate we're using on the server side are self-generated
by openssl.
-Brian
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
