[openssl-users] Help with "tlsv1 alert insufficient security"

Matt Caswell matt at openssl.org
Fri Feb 24 21:11:09 UTC 2017

On 24/02/17 16:15, Joseph Southwell wrote:
> We upgraded from 0.9.8 to 1.0.2 and now we are seeing that message when
> we try connecting to a server that previously worked. What does it mean
> and how can I figure out how to work around it? I can’t get the server
> to change anything and I need to be able to continue connecting to it. 
> openssl s_client -connect xxxxxxx.com <http://xxxxxxx.com>:####
> -starttls ftp
> CONNECTED(00000170)
> 4960:error:1407742F:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert
> insufficient security:.\ssl\s23_clnt.c:770:

That is actually quite strange. This is the server sending the OpenSSL
client an alert to say that you have insufficient security in your
ClientHello. Without access to the server it is quite difficult to tell
why. What is strange is the default security has been increased
significantly between 0.9.8 and 1.0.2. Possibly some ciphers/parameters
that were previously offered are no longer offered by default in 1.0.2 -
and therefore the server can't find one it likes.

Rich's suggestion is a good one, but unfortunately only applies to
version 1.1.0 - it won't work in 1.0.2. You might want to try compiling
with the "enable-weak-ssl-ciphers" config option to see if that makes a

Alternatively, try and find out what connection params are used when
connecting from 0.9.8. That might give you a clue as to what settings
are acceptable to the server.


More information about the openssl-users mailing list