回复: <Please advise> Ues 'openssl s_server command' to disable TLS1.0

Hubert Kario hkario at redhat.com
Tue Mar 17 11:10:37 UTC 2020


On Tuesday, 17 March 2020 10:04:34 CET, guoxiaobinni at 163.com wrote:
> Hi Matt,
>
> I have asked senior colleague for running the following 
> commands on Redhat Linux server.
> $ openssl s_server -no_tls1 -key keyfile -cert certname
> $ openssl s_client -no_tls1
>
> May I know any actions will make them take effect after run?

`openssl s_client` and `openssl s_server` are debugging tools

any command line options passed to them affect only those tools

it will not affect apache, curl, nginx, or any other application that uses
the openssl library

Please contact Red Hat support on how to configure specific servers or 
clients.
You may also find the information you're looking for in the Red Hat 
Customer
Portal:
https://access.redhat.com/articles/1462183


> -----邮件原件-----
> 发件人: Matt Caswell <matt at openssl.org> 
> 发送时间: 2020年3月4日 19:41
> 收件人: guoxiaobinni at 163.com; openssl-users at openssl.org
> 抄送: erik.y.h.liang at hsbc.com.cn; damontsli at hangseng.com
> 主题: Re: <Please advise> Ues 'openssl s_server command' to disable TLS1.0
>
>
>
> On 04/03/2020 08:31, guoxiaobinni at 163.com wrote:
>> Thanks Matt,
>> 
>> As your advice, I tried to execute the following both commands 
>> to disable TLS 1.0 for Client and Server separately. Since I 
>> have no right to access private keyfile, of course they failed. 
>> Could you please correct me if the command format is fine? I 
>> then will assign them to senior colleague to execute.
>> 
>> $ openssl s_server -no_tls1 -key keyfile -cert certname $ openssl 
>> s_client -no_tls1 -key keyfile [-cert certname]
>
> The format for s_server is fine. There is no need to supply the 
> -key and -cert options to s_client unless you are wanting to 
> test client authentication.
>
> However, I'm still not convinced you have understood what these 
> commands actually do. They will create a test server, and a 
> initiate a test client to connect to it respectively - and will 
> disable TLSv1.0 for those instances only. Typically you would 
> only do this with test keys/certs not with production 
> keys/certs. It will have no impact on any other servers/clients 
> running in your environment.
>
> Matt
>
>> Thanks.
>> Chobin
>> 
>> -----邮件原件-----
>> 发件人: openssl-users-bounces at openssl.org 
>> [mailto:openssl-users-bounces at openssl.org] 代表 Matt Caswell ...
>
>
>
>

-- 
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic



More information about the openssl-users mailing list