Handling NULL key exchange for NULL_ ciphersuite

What is the correct way to interpret handling of the NULL ciphersuite for
key exchange?

The TLS spec (excerpts provided below) appears to be vague in its
description of how key exchange handling is done if the NULL ciphersuite is
negotiated. I don't recall seeing any statement indicating it is illegal to
negotiate a NULL ciphersuite. My assumption is the NULL ciphersuite could
be negotiated anytime it is legal to negotiate any other ciphersuite (its

The spec identifies the ServerKeyExchange and ServerCertificate messages
as being optional but section 6.4.3 does not indicate which message (if
any) should be sent for NULL ciphersuite. Is it an empty KeyExchange
message or just no message (key exchange or certificate)?

Section 6.4.7 mandates the return of the ClientKeyExchange message but does
not describe the format of the message if the negotiated ciphersuite was
NULL. There is an agrement for making the ClientKeyExchange message
optional if the NULL ciphersuite was negotiated. Alternatively, the key
exchange message could contain nothing as is the case for DH_RSA and DH_DSS
key exchange methods.

Thank You,
Ned Smith

6.4.3 Server key exchange message

   When this message will be sent:

   This message will be sent after the server certificate message (or
   the server hello message, if the server certificate is not sent),
   but before the server hello done message. The server key exchange
   message may be sent before or after this message.

   The server key exchange message is sent by the server only when the
   server certificate message (if sent) does not contain enough data to
   allow the client to exchange a premaster secret. This is true for
   the following key exchange methods:

          RSA_EXPORT (if the public key in the server certificate is
                      longer than 512 bits)

   It is not legal to send the server key exchange message for the
   following key exchange methods:

          RSA_EXPORT (when the public key in the server certificate
                      is less than or equal to 512 bits in length)

6.4.7 Client key exchange message

   When this message will be sent:

   This message is always sent by the client. It will immediately
   follow the client certificate message, if it is sent, or the
   no_certificate alert, if a certificate was requested but an
   appropriate one was not available. Otherwise it will be the first
   message sent by the client after it receives the server hello done

   Meaning of this message:

   With this message, the premaster secret is set, either though direct
   transmisson of the RSA-encrypted secret, or by the transmission of
   Diffie-Hellman parameters which will allow each side to agree upon
   the same premaster secret. When the key exchange method is DH_RSA or
   DH_DSS, client certification has been requested, and the client was
   able to respond with a certificate which contained a Diffie-Hellman
   public key whose parameters (group and generator) matched those
   specified by the server in its certificate, this message will not
   contain any data.

Received on Thursday, 30 January 1997 14:33:58 UTC