Dear all,
I’m using two mikrotik devices and I’m implementing an SSTP tunnel. I wouldn’t use any certificate on the client and on the server but only username and password authentication. The question is: without certificates the AES encryption is in any case implemented in the sstp tunnel ? Or for encryption the certificates are mandatory?
I think the certificates assure only the authenticity of client and server. is it correct?
From the WiKi;
Between two Mikrotik routers it is also possible to set up an insecure tunnel by not using certificates at all. In this case data going through SSTP tunnel is using anonymous DH and Man-in-the-Middle attacks are easily accomplished. This scenario is not compatible with Windows clients.
To set up a secure SSTP tunnel, certificates are required. On the server, authentication is done only by username and password, but on the client - the server is authenticated using a server certificate. It is also used by the client to cryptographically bind SSL and PPP authentication, meaning - the clients sends a special value over SSTP connection to the server, this value is derived from the key data that is generated during PPP authentication and server certificate, this allows the server to check if both channels are secure.
Source: https://wiki.mikrotik.com/wiki/Manual:Interface/SSTP#Certificates
Thanks.And why without certificates I have AES256-CBC in the encoding field?
It is still being encrypted as you state and otherwise it would not deserve the first “s” in SSTP. 
The difference is that there is no proof that the client is talking to server the client wanted to talk to.
Oh yes. For this reason at top of discussion I told that certificates are not mandatory for the encryption but obviously if I would a more secure implementation I need to have certificates.