HTTPS with NO Cipher Suite: Is it Possible?

G5 Cyber Security

2 weeks ago

TL;DR

Browsers cannot successfully connect to an HTTPS server configured with only the NONE cipher suite. While technically possible to initiate a connection attempt, modern browsers will reject it due to security concerns. The NONE cipher suite provides no encryption and is considered highly insecure.

Why This Matters

Understanding why this doesn’t work helps you troubleshoot SSL/TLS issues and appreciate the importance of secure configurations for your websites and applications. Attempting to use a NONE cipher suite defeats the purpose of HTTPS, which is to provide encrypted communication.

Step-by-Step Explanation

What are Cipher Suites?

Cipher suites are sets of algorithms used for encryption, authentication, and key exchange during an SSL/TLS handshake. They define how data is secured between a client (browser) and a server.
A typical HTTPS configuration includes multiple cipher suites to provide compatibility with various browsers and security levels.

The NONE Cipher Suite

The NONE cipher suite, as the name suggests, disables all encryption. It’s primarily used for testing purposes or in very specific scenarios where encryption isn’t required (e.g., local network debugging).
It is represented by a string like TLS_NULL_WITH_NULL_NULL.

Browser Security Requirements

Modern browsers enforce strong security policies and require at least one supported cipher suite to establish an HTTPS connection. They will not connect if the server only offers insecure options like NONE.
Browsers maintain a list of acceptable cipher suites, which are regularly updated based on evolving security standards.

Connection Attempt and Rejection

When a browser attempts to connect to an HTTPS server with only the NONE cipher suite enabled, it sends a ClientHello message listing its supported cipher suites.
The server responds with a ServerHello message offering only the NONE cipher suite.
The browser detects that none of the offered cipher suites are acceptable and terminates the connection attempt, usually displaying an error like “ERR_SSL_VERSION_OR_CIPHER_MISMATCH”.

Verifying Server Cipher Suites (using OpenSSL)

You can use OpenSSL to check which cipher suites a server supports:

openssl s_client -connect yourdomain.com:443

Look for the line starting with “Cipher Suite:”. This will show you the available cipher suites.

Configuring Cipher Suites (Example using Apache)

In Apache, you configure cipher suites in your SSL virtual host configuration file. Do not disable all encryption! Here’s an example of a secure configuration:

SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA384:DHE-RSA-AES128-SHA256

Restart Apache after making changes:

sudo systemctl restart apache2

Testing with a Secure Configuration

After configuring secure cipher suites, test your HTTPS connection using an online SSL checker tool (e.g., SSL Labs Server Test: https://www.ssllabs.com/ssltest/) to ensure it meets modern security standards.

Conclusion

While you can technically configure a server to offer only the NONE cipher suite, browsers will not connect due to security protocols. Always use strong and supported cipher suites for secure HTTPS communication.