<Please advise> Ues 'openssl s_server command' to disable TLS1.0

Matt Caswell matt at openssl.org
Wed Mar 4 11:40:39 UTC 2020



On 04/03/2020 08:31, guoxiaobinni at 163.com wrote:
> Thanks Matt, 
> 
> As your advice, I tried to execute the following both commands to disable TLS 1.0 for Client and Server separately. Since I have no right to access private keyfile, of course they failed. Could you please correct me if the command format is fine? I then will assign them to senior colleague to execute.
> 
> $ openssl s_server -no_tls1 -key keyfile -cert certname
> $ openssl s_client -no_tls1 -key keyfile [-cert certname]

The format for s_server is fine. There is no need to supply the -key and
-cert options to s_client unless you are wanting to test client
authentication.

However, I'm still not convinced you have understood what these commands
actually do. They will create a test server, and a initiate a test
client to connect to it respectively - and will disable TLSv1.0 for
those instances only. Typically you would only do this with test
keys/certs not with production keys/certs. It will have no impact on any
other servers/clients running in your environment.

Matt

> 
> Thanks.
> Chobin
> 
> -----邮件原件-----
> 发件人: openssl-users-bounces at openssl.org [mailto:openssl-users-bounces at openssl.org] 代表 Matt Caswell
> 发送时间: 2020年3月3日 18:51
> 收件人: openssl-users at openssl.org
> 主题: Re: <Please advise> Ues 'openssl s_server command' to disable TLS1.0
> 
> 
> 
> On 03/03/2020 07:48, guoxiaobinni at 163.com wrote:
>> Dear All,
>>
>>  
>>
>> I hit the following error when used ‘openssl s_server -no_tls1’ command
>> to disable TLS1.0 on Redhat Linux server.
> 
> Your question is slightly ambiguous. It implies you expect the command
> to disable TLSv1.0 for all applications on your server. If that is what
> you meant then you will be disappointed. "openssl s_server" runs a test
> server to enable testing TLS connections from clients. The "-no_tls1"
> option disables TLSv1.0 for that test server instance only.
> 
> If you really mean to start a test server then you need to additionally
> supply a key and certificate file. By default s_server will look for the
> key/cert in the file server.pem in the current working directory.
> Otherwise you have to explicitly state the location of these files with
> the "-key" and "-cert" options.
> 
> Matt
> 
> 
> 
>> It shows the openssl version
>> as well.
>>
>>  
>>
>> ----------------------------------------------------------------------------------------------------------------------------------------------------
>>
>> $ openssl version
>>
>> OpenSSL 1.0.1e-fips 11 Feb 2013
>>
>> $ openssl s_server –no_tls1
>>
>> Error opening server certificate private key file server.pem
>>
>> 140057863432008:error:02001002:system library:fopen:No such file or
>> directory:bss_file.c:398:fopen(‘server.pem’,’r’)
>>
>> 140057863432008:error:20074002:BIO routines:FILE_CTRL:system
>> lib:bss_file.c:400:
>>
>> unable to load server certificate private key file
>>
>> -----------------------------------------------------------------------------------------------------------------------------------------------------
>>
>>  
>>
>> I can’t confirm if the command format is fine or not. Would you please
>> help to correct me?
>>
>>  
>>
>> Thanks and Regards,
>>
>> Chobin Guo
>>
> 
> 


More information about the openssl-users mailing list