[openssl-users] s_client -no_tls1 option

Nounou Dadoun nounou.dadoun at avigilon.com
Tue Dec 1 23:48:20 UTC 2015

That makes sense, we've disabled sslv2 and sslv3 and I expected the no_tls1 option to allow a higher version to connect but it wouldn't connect at all.  I should have remembered that it's implemented as a contiguous range!  Thanks for the quick response .. N

-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Benjamin Kaduk
Sent: Tuesday, December 01, 2015 3:34 PM
To: openssl-users at openssl.org
Subject: Re: [openssl-users] s_client -no_tls1 option

On 12/01/2015 05:28 PM, Nounou Dadoun wrote:
> Getting an unexpected result, does the no_tls1 option for s_client 
> mean "don't use tls1" (and everything else is ok) or does it mean 
> "don't use tls1 or tls1.1 or tls1.2"?  I expected the former but I'm 
> observing the latter!  (The man page doesn't go into that much 
> detail.) ... N

The latter.

The TLS protocol only specifies a maximum version supported by the client (and in practice there are some heuristics using the record protocol version to indicate the minimum version supported), so the client is essentially claiming just a contiguous range.  Once 1.0 is removed, the higher versions are as well.  (I would have to check to see how this interacts with no_ssl2 and no_ssl3.)

-Ben Kaduk
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

More information about the openssl-users mailing list