[openssl-users] s_client -no_tls1 option

Benjamin Kaduk bkaduk at akamai.com
Tue Dec 1 23:33:41 UTC 2015

On 12/01/2015 05:28 PM, Nounou Dadoun wrote:
> Getting an unexpected result, does the no_tls1 option for s_client mean "don't use tls1" (and everything else is ok) or does it mean "don't use tls1 or tls1.1 or tls1.2"?  I expected the former but I'm observing the latter!  (The man page doesn't go into that much detail.) ... N

The latter.

The TLS protocol only specifies a maximum version supported by the
client (and in practice there are some heuristics using the record
protocol version to indicate the minimum version supported), so the
client is essentially claiming just a contiguous range.  Once 1.0 is
removed, the higher versions are as well.  (I would have to check to see
how this interacts with no_ssl2 and no_ssl3.)

-Ben Kaduk

More information about the openssl-users mailing list