Re: 回复: <Please advise> Ues 'openssl s_server command' to disable TLS1.0

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Tuesday, 17 March 2020 10:04:34 CET, guoxiaobinni@xxxxxxx wrote:

Hi Matt,
I have asked senior colleague for running the following commands on Redhat Linux server. 
$ openssl s_server -no_tls1 -key keyfile -cert certname
$ openssl s_client -no_tls1

May I know any actions will make them take effect after run?


`openssl s_client` and `openssl s_server` are debugging tools

any command line options passed to them affect only those tools

it will not affect apache, curl, nginx, or any other application that uses
the openssl library
Please contact Red Hat support on how to configure specific servers or clients. You may also find the information you're looking for in the Red Hat Customer 
Portal:
https://access.redhat.com/articles/1462183



-----邮件原件-----
发件人: Matt Caswell <matt@xxxxxxxxxxx> 发送时间: 2020年3月4日 19:41 
收件人: guoxiaobinni@xxxxxxx; openssl-users@xxxxxxxxxxx
抄送: erik.y.h.liang@xxxxxxxxxxx; damontsli@xxxxxxxxxxxx
主题: Re: <Please advise> Ues 'openssl s_server command' to disable TLS1.0



On 04/03/2020 08:31, guoxiaobinni@xxxxxxx wrote:

Thanks Matt,
As your advice, I tried to execute the following both commands to disable TLS 1.0 for Client and Server separately. Since I have no right to access private keyfile, of course they failed. Could you please correct me if the command format is fine? I then will assign them to senior colleague to execute.
$ openssl s_server -no_tls1 -key keyfile -cert certname $ openssl s_client -no_tls1 -key keyfile [-cert certname]
The format for s_server is fine. There is no need to supply the -key and -cert options to s_client unless you are wanting to test client authentication.
However, I'm still not convinced you have understood what these commands actually do. They will create a test server, and a initiate a test client to connect to it respectively - and will disable TLSv1.0 for those instances only. Typically you would only do this with test keys/certs not with production keys/certs. It will have no impact on any other servers/clients running in your environment. 

Matt


Thanks.
Chobin

-----邮件原件-----
发件人: openssl-users-bounces@xxxxxxxxxxx [mailto:openssl-users-bounces@xxxxxxxxxxx] 代表 Matt Caswell ... 






--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux