On 12/01/2015 05:28 PM, Nounou Dadoun wrote: > Getting an unexpected result, does the no_tls1 option for s_client mean "don't use tls1" (and everything else is ok) or does it mean "don't use tls1 or tls1.1 or tls1.2"? I expected the former but I'm observing the latter! (The man page doesn't go into that much detail.) ... N > The latter. The TLS protocol only specifies a maximum version supported by the client (and in practice there are some heuristics using the record protocol version to indicate the minimum version supported), so the client is essentially claiming just a contiguous range. Once 1.0 is removed, the higher versions are as well. (I would have to check to see how this interacts with no_ssl2 and no_ssl3.) -Ben Kaduk
