On Tue, Dec 01, 2015 at 05:33:41PM -0600, Benjamin Kaduk wrote:
> On 12/01/2015 05:28 PM, Nounou Dadoun wrote:
> > Getting an unexpected result, does the no_tls1 option for s_client mean
> > "don't use tls1" (and everything else is ok) or does it mean "don't use
> > tls1 or tls1.1 or tls1.2"? I expected the former but I'm observing the
> > latter! (The man page doesn't go into that much detail.) ... N
> >
>
> The latter.
>
> The TLS protocol only specifies a maximum version supported by the
> client (and in practice there are some heuristics using the record
> protocol version to indicate the minimum version supported), so the
> client is essentially claiming just a contiguous range. Once 1.0 is
> removed, the higher versions are as well. (I would have to check to see
> how this interacts with no_ssl2 and no_ssl3.)
If one also specifies -no_ssl2 and -no_ssl3, then the client will advertise
TLS 1.2 and accept either TLS 1.2 or TLS 1.1.
--
Viktor.
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
