> The application I am developing requires HTTP over SSL connection > and hence I am using OpenSSL for SSL support . But Using OpenSSL > with all the cryptographic libraries included increases the size of > my app heavily . To deal with that , I want to build a OpenSSL > library with NULL encryption ( No Crypto Support at all ) so that the > size comes down fairly . My application uses OpenSSL for SSL handshake > and I/O only with no encryption/decryption needed at all for data > transfer .
You can certainly disable algorithms you don't really need. You can eliminate elliptic curve, RC5, MDC2, IDEA, SSLv2, SHA0, blowfish, and probably quite a few others. But I'm not sure I understand (or that you understand) what you're really asking for. SSL is a security protocol, and if you take away the encryption, what do you think is left? Without crypto support, how is the SSL handshake going to work? The SSL handhake is largely a succession of cryptographic operations. For example, one of the steps of the SSL handshake requires the server to decrypt the pre-master secret, which the client encrypts with the server's public key. If the server cannot decrypt this because it has no encryption libraries, how can it prove that it is the owner of its certificate? And if it can't do that, why would the client continue talking to it? What do you think is left if you subtract all encryption operations from SSL? Authentication doesn't work without encryption. It's no use to make absolutely sure you are talking to www.securesite.com if the subsequent data is sent in the clear (because a man-in-the-middle could change it). I would love to see the requirements that require SSL but do not require any actual security. What do you think "basic SSL" is? DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
