[openssl-users] s_client -no_tls1 option

Viktor Dukhovni openssl-users at dukhovni.org
Wed Dec 2 02:10:31 UTC 2015

On Tue, Dec 01, 2015 at 05:33:41PM -0600, Benjamin Kaduk wrote:
> On 12/01/2015 05:28 PM, Nounou Dadoun wrote:
> > Getting an unexpected result, does the no_tls1 option for s_client mean "don't use tls1" (and everything else is ok) or does it mean "don't use tls1 or tls1.1 or tls1.2"?  I expected the former but I'm observing the latter!  (The man page doesn't go into that much detail.) ... N
> >
> The latter.
> The TLS protocol only specifies a maximum version supported by the
> client (and in practice there are some heuristics using the record
> protocol version to indicate the minimum version supported), so the
> client is essentially claiming just a contiguous range.  Once 1.0 is
> removed, the higher versions are as well.  (I would have to check to see
> how this interacts with no_ssl2 and no_ssl3.)

If one also specifies -no_ssl2 and -no_ssl3, then the client will advertise
TLS 1.2 and accept either TLS 1.2 or TLS 1.1.


More information about the openssl-users mailing list