Hi Matt, I have asked senior colleague for running the following commands on Redhat Linux server. $ openssl s_server -no_tls1 -key keyfile -cert certname $ openssl s_client -no_tls1 May I know any actions will make them take effect after run? -----邮件原件----- 发件人: Matt Caswell <matt@xxxxxxxxxxx> 发送时间: 2020年3月4日 19:41 收件人: guoxiaobinni@xxxxxxx; openssl-users@xxxxxxxxxxx 抄送: erik.y.h.liang@xxxxxxxxxxx; damontsli@xxxxxxxxxxxx 主题: Re: <Please advise> Ues 'openssl s_server command' to disable TLS1.0 On 04/03/2020 08:31, guoxiaobinni@xxxxxxx wrote: > Thanks Matt, > > As your advice, I tried to execute the following both commands to disable TLS 1.0 for Client and Server separately. Since I have no right to access private keyfile, of course they failed. Could you please correct me if the command format is fine? I then will assign them to senior colleague to execute. > > $ openssl s_server -no_tls1 -key keyfile -cert certname $ openssl > s_client -no_tls1 -key keyfile [-cert certname] The format for s_server is fine. There is no need to supply the -key and -cert options to s_client unless you are wanting to test client authentication. However, I'm still not convinced you have understood what these commands actually do. They will create a test server, and a initiate a test client to connect to it respectively - and will disable TLSv1.0 for those instances only. Typically you would only do this with test keys/certs not with production keys/certs. It will have no impact on any other servers/clients running in your environment. Matt > > Thanks. > Chobin > > -----邮件原件----- > 发件人: openssl-users-bounces@xxxxxxxxxxx > [mailto:openssl-users-bounces@xxxxxxxxxxx] 代表 Matt Caswell > 发送时间: 2020年3月3日 18:51 > 收件人: openssl-users@xxxxxxxxxxx > 主题: Re: <Please advise> Ues 'openssl s_server command' to disable > TLS1.0 > > > > On 03/03/2020 07:48, guoxiaobinni@xxxxxxx wrote: >> Dear All, >> >> >> >> I hit the following error when used ‘openssl s_server -no_tls1’ >> command to disable TLS1.0 on Redhat Linux server. > > Your question is slightly ambiguous. It implies you expect the command > to disable TLSv1.0 for all applications on your server. If that is > what you meant then you will be disappointed. "openssl s_server" runs > a test server to enable testing TLS connections from clients. The "-no_tls1" > option disables TLSv1.0 for that test server instance only. > > If you really mean to start a test server then you need to > additionally supply a key and certificate file. By default s_server > will look for the key/cert in the file server.pem in the current working directory. > Otherwise you have to explicitly state the location of these files > with the "-key" and "-cert" options. > > Matt > > > >> It shows the openssl version >> as well. >> >> >> >> --------------------------------------------------------------------- >> --------------------------------------------------------------------- >> ---------- >> >> $ openssl version >> >> OpenSSL 1.0.1e-fips 11 Feb 2013 >> >> $ openssl s_server –no_tls1 >> >> Error opening server certificate private key file server.pem >> >> 140057863432008:error:02001002:system library:fopen:No such file or >> directory:bss_file.c:398:fopen(‘server.pem’,’r’) >> >> 140057863432008:error:20074002:BIO routines:FILE_CTRL:system >> lib:bss_file.c:400: >> >> unable to load server certificate private key file >> >> --------------------------------------------------------------------- >> --------------------------------------------------------------------- >> ----------- >> >> >> >> I can’t confirm if the command format is fine or not. Would you >> please help to correct me? >> >> >> >> Thanks and Regards, >> >> Chobin Guo >> > >
