That makes sense, we've disabled sslv2 and sslv3 and I expected the no_tls1 option to allow a higher version to connect but it wouldn't connect at all. I should have remembered that it's implemented as a contiguous range! Thanks for the quick response .. N -----Original Message----- From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of Benjamin Kaduk Sent: Tuesday, December 01, 2015 3:34 PM To: openssl-users at openssl.org Subject: Re: s_client -no_tls1 option On 12/01/2015 05:28 PM, Nounou Dadoun wrote: > Getting an unexpected result, does the no_tls1 option for s_client > mean "don't use tls1" (and everything else is ok) or does it mean > "don't use tls1 or tls1.1 or tls1.2"? I expected the former but I'm > observing the latter! (The man page doesn't go into that much > detail.) ... N > The latter. The TLS protocol only specifies a maximum version supported by the client (and in practice there are some heuristics using the record protocol version to indicate the minimum version supported), so the client is essentially claiming just a contiguous range. Once 1.0 is removed, the higher versions are as well. (I would have to check to see how this interacts with no_ssl2 and no_ssl3.) -Ben Kaduk _______________________________________________ openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
