Hello, We have a server was originaly using OpenSSL 1.0.2h. Server is configured to use SSL ciphers as following ALL:!aNULL:!ADH:!EDH:!eNULL:!EXPORT When openssl client tries to connect to this server with command openssl s_client -connect localhost:8101-cipher aNULL it fails, because any aNULL ciphers are not available per server configuration. We have now upgraded server to use OpenSSL 1.1.1f. The current behavior is this: client can connect using the same command openssl s_client -connect localhost:8101 -cipher aNULL or openssl s_client -tls1_3 -connect localhost:8101 -cipher aNULL
while the same connect attempt using TLS1.2 protocol would still fail openssl s_client -tls1_2 -connect localhost:8001-cipher aNULL Would the fact that I can connect to the server using TLS 1.3 using the following command (specifically, using -cipher aNULL, while server is configured to exclude all aNULL cipher suites) considered a security violation? openssl s_client -tls1_3 -connect localhost:8001 -cipher aNULL Also, if this a security violation, how this can be addressed in the server configuration? Lastly, if this is not a security violation, please explain. Thank you, Yury Mazin
