回复: <Please advise> Ues 'openssl s_server command' to disable TLS1.0

guoxiaobinni at 163.com guoxiaobinni at 163.com
Tue Mar 17 09:04:34 UTC 2020


Hi Matt,

I have asked senior colleague for running the following commands on Redhat Linux server.
$ openssl s_server -no_tls1 -key keyfile -cert certname
$ openssl s_client -no_tls1

May I know any actions will make them take effect after run?

-----邮件原件-----
发件人: Matt Caswell <matt at openssl.org> 
发送时间: 2020年3月4日 19:41
收件人: guoxiaobinni at 163.com; openssl-users at openssl.org
抄送: erik.y.h.liang at hsbc.com.cn; damontsli at hangseng.com
主题: Re: <Please advise> Ues 'openssl s_server command' to disable TLS1.0



On 04/03/2020 08:31, guoxiaobinni at 163.com wrote:
> Thanks Matt,
> 
> As your advice, I tried to execute the following both commands to disable TLS 1.0 for Client and Server separately. Since I have no right to access private keyfile, of course they failed. Could you please correct me if the command format is fine? I then will assign them to senior colleague to execute.
> 
> $ openssl s_server -no_tls1 -key keyfile -cert certname $ openssl 
> s_client -no_tls1 -key keyfile [-cert certname]

The format for s_server is fine. There is no need to supply the -key and -cert options to s_client unless you are wanting to test client authentication.

However, I'm still not convinced you have understood what these commands actually do. They will create a test server, and a initiate a test client to connect to it respectively - and will disable TLSv1.0 for those instances only. Typically you would only do this with test keys/certs not with production keys/certs. It will have no impact on any other servers/clients running in your environment.

Matt

> 
> Thanks.
> Chobin
> 
> -----邮件原件-----
> 发件人: openssl-users-bounces at openssl.org 
> [mailto:openssl-users-bounces at openssl.org] 代表 Matt Caswell
> 发送时间: 2020年3月3日 18:51
> 收件人: openssl-users at openssl.org
> 主题: Re: <Please advise> Ues 'openssl s_server command' to disable 
> TLS1.0
> 
> 
> 
> On 03/03/2020 07:48, guoxiaobinni at 163.com wrote:
>> Dear All,
>>
>>  
>>
>> I hit the following error when used ‘openssl s_server -no_tls1’ 
>> command to disable TLS1.0 on Redhat Linux server.
> 
> Your question is slightly ambiguous. It implies you expect the command 
> to disable TLSv1.0 for all applications on your server. If that is 
> what you meant then you will be disappointed. "openssl s_server" runs 
> a test server to enable testing TLS connections from clients. The "-no_tls1"
> option disables TLSv1.0 for that test server instance only.
> 
> If you really mean to start a test server then you need to 
> additionally supply a key and certificate file. By default s_server 
> will look for the key/cert in the file server.pem in the current working directory.
> Otherwise you have to explicitly state the location of these files 
> with the "-key" and "-cert" options.
> 
> Matt
> 
> 
> 
>> It shows the openssl version
>> as well.
>>
>>  
>>
>> ---------------------------------------------------------------------
>> ---------------------------------------------------------------------
>> ----------
>>
>> $ openssl version
>>
>> OpenSSL 1.0.1e-fips 11 Feb 2013
>>
>> $ openssl s_server –no_tls1
>>
>> Error opening server certificate private key file server.pem
>>
>> 140057863432008:error:02001002:system library:fopen:No such file or
>> directory:bss_file.c:398:fopen(‘server.pem’,’r’)
>>
>> 140057863432008:error:20074002:BIO routines:FILE_CTRL:system
>> lib:bss_file.c:400:
>>
>> unable to load server certificate private key file
>>
>> ---------------------------------------------------------------------
>> ---------------------------------------------------------------------
>> -----------
>>
>>  
>>
>> I can’t confirm if the command format is fine or not. Would you 
>> please help to correct me?
>>
>>  
>>
>> Thanks and Regards,
>>
>> Chobin Guo
>>
> 
> 




More information about the openssl-users mailing list