Re: 回复: <Please advise> Ues 'openssl s_server command' to disable TLS1.0

163 guoxiaobinni at 163.com
Tue Mar 17 12:02:36 UTC 2020


Hi Hubert,

Sorry for unclear description. I just want to disable TLS 1.0 on Redhat Linux server. After run those both commands, then how to take them effect or no need any. May I have your more advice?

Chobin

> 在 2020年3月17日,19:10,Hubert Kario <hkario at redhat.com> 写道:
> 
>> On Tuesday, 17 March 2020 10:04:34 CET, guoxiaobinni at 163.com wrote:
>> Hi Matt,
>> 
>> I have asked senior colleague for running the following commands on Redhat Linux server.
>> $ openssl s_server -no_tls1 -key keyfile -cert certname
>> $ openssl s_client -no_tls1
>> 
>> May I know any actions will make them take effect after run?
> 
> `openssl s_client` and `openssl s_server` are debugging tools
> 
> any command line options passed to them affect only those tools
> 
> it will not affect apache, curl, nginx, or any other application that uses
> the openssl library
> 
> Please contact Red Hat support on how to configure specific servers or clients.
> You may also find the information you're looking for in the Red Hat Customer
> Portal:
> https://access.redhat.com/articles/1462183
> 
> 
>> -----邮件原件-----
>> 发件人: Matt Caswell <matt at openssl.org> 发送时间: 2020年3月4日 19:41
>> 收件人: guoxiaobinni at 163.com; openssl-users at openssl.org
>> 抄送: erik.y.h.liang at hsbc.com.cn; damontsli at hangseng.com
>> 主题: Re: <Please advise> Ues 'openssl s_server command' to disable TLS1.0
>> 
>> 
>> 
>>> On 04/03/2020 08:31, guoxiaobinni at 163.com wrote:
>>> Thanks Matt,
>>> As your advice, I tried to execute the following both commands to disable TLS 1.0 for Client and Server separately. Since I have no right to access private keyfile, of course they failed. Could you please correct me if the command format is fine? I then will assign them to senior colleague to execute.
>>> $ openssl s_server -no_tls1 -key keyfile -cert certname $ openssl s_client -no_tls1 -key keyfile [-cert certname]
>> 
>> The format for s_server is fine. There is no need to supply the -key and -cert options to s_client unless you are wanting to test client authentication.
>> 
>> However, I'm still not convinced you have understood what these commands actually do. They will create a test server, and a initiate a test client to connect to it respectively - and will disable TLSv1.0 for those instances only. Typically you would only do this with test keys/certs not with production keys/certs. It will have no impact on any other servers/clients running in your environment.
>> 
>> Matt
>> 
>>> Thanks.
>>> Chobin
>>> -----邮件原件-----
>>> 发件人: openssl-users-bounces at openssl.org [mailto:openssl-users-bounces at openssl.org] 代表 Matt Caswell ...
>> 
>> 
>> 
>> 
> 
> -- 
> Regards,
> Hubert Kario
> Senior Quality Engineer, QE BaseOS Security team
> Web: www.cz.redhat.com
> Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic




More information about the openssl-users mailing list