[openssl-users] s_client -no_tls1 option
Viktor Dukhovni
openssl-users at dukhovni.org
Wed Dec 2 02:10:31 UTC 2015
On Tue, Dec 01, 2015 at 05:33:41PM -0600, Benjamin Kaduk wrote:
> On 12/01/2015 05:28 PM, Nounou Dadoun wrote:
> > Getting an unexpected result, does the no_tls1 option for s_client mean "don't use tls1" (and everything else is ok) or does it mean "don't use tls1 or tls1.1 or tls1.2"? I expected the former but I'm observing the latter! (The man page doesn't go into that much detail.) ... N
> >
>
> The latter.
>
> The TLS protocol only specifies a maximum version supported by the
> client (and in practice there are some heuristics using the record
> protocol version to indicate the minimum version supported), so the
> client is essentially claiming just a contiguous range. Once 1.0 is
> removed, the higher versions are as well. (I would have to check to see
> how this interacts with no_ssl2 and no_ssl3.)
If one also specifies -no_ssl2 and -no_ssl3, then the client will advertise
TLS 1.2 and accept either TLS 1.2 or TLS 1.1.
--
Viktor.
More information about the openssl-users
mailing list