On Tue, Dec 01, 2015 at 05:33:41PM -0600, Benjamin Kaduk wrote: > On 12/01/2015 05:28 PM, Nounou Dadoun wrote: > > Getting an unexpected result, does the no_tls1 option for s_client mean "don't use tls1" (and everything else is ok) or does it mean "don't use tls1 or tls1.1 or tls1.2"? I expected the former but I'm observing the latter! (The man page doesn't go into that much detail.) ... N > > > > The latter. > > The TLS protocol only specifies a maximum version supported by the > client (and in practice there are some heuristics using the record > protocol version to indicate the minimum version supported), so the > client is essentially claiming just a contiguous range. Once 1.0 is > removed, the higher versions are as well. (I would have to check to see > how this interacts with no_ssl2 and no_ssl3.) If one also specifies -no_ssl2 and -no_ssl3, then the client will advertise TLS 1.2 and accept either TLS 1.2 or TLS 1.1. -- Viktor.
