> On Nov 30, 2017, at 9:22 AM, Joseph Southwell <jsouthwell@xxxxxxxxxxxxx> wrote: > > So I have a server I connect to that replies “insufficient security” when I connect with an ssl23 client helo from openssl 1.0.2. However when I connect with any of ssl3-tls1.1 client helo it works. It doesn’t work if I try to connect with a tls1.2 client helo. I am trying to narrow down the problem so I would like to send an ssl23 client helo that only advertises up to 1.1. Any idea how to do just that? OpenSSL 1.1.0 provides controls to explicitly set the maximum and/or minimum SSL/TLS protocol version. In OpenSSL 1.0.2, you can only disable specific versions via SSL_OP_NO_SSLv2, SSL_OP_NO_SSLv3, SSL_OP_NO_TLS1, SSL_OP_NO_TLSv1_1 or SSL_OP_NO_TLSv1_2, making sure to not introduce "holes"! After disabled protocols are removed the remaining protocols *MUST* form a contiguous range with no gaps in the middle. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
