Hi Hubert, Sorry for unclear description. I just want to disable TLS 1.0 on Redhat Linux server. After run those both commands, then how to take them effect or no need any. May I have your more advice? Chobin > 在 2020年3月17日,19:10,Hubert Kario <hkario@xxxxxxxxxx> 写道: > >> On Tuesday, 17 March 2020 10:04:34 CET, guoxiaobinni@xxxxxxx wrote: >> Hi Matt, >> >> I have asked senior colleague for running the following commands on Redhat Linux server. >> $ openssl s_server -no_tls1 -key keyfile -cert certname >> $ openssl s_client -no_tls1 >> >> May I know any actions will make them take effect after run? > > `openssl s_client` and `openssl s_server` are debugging tools > > any command line options passed to them affect only those tools > > it will not affect apache, curl, nginx, or any other application that uses > the openssl library > > Please contact Red Hat support on how to configure specific servers or clients. > You may also find the information you're looking for in the Red Hat Customer > Portal: > https://access.redhat.com/articles/1462183 > > >> -----邮件原件----- >> 发件人: Matt Caswell <matt@xxxxxxxxxxx> 发送时间: 2020年3月4日 19:41 >> 收件人: guoxiaobinni@xxxxxxx; openssl-users@xxxxxxxxxxx >> 抄送: erik.y.h.liang@xxxxxxxxxxx; damontsli@xxxxxxxxxxxx >> 主题: Re: <Please advise> Ues 'openssl s_server command' to disable TLS1.0 >> >> >> >>> On 04/03/2020 08:31, guoxiaobinni@xxxxxxx wrote: >>> Thanks Matt, >>> As your advice, I tried to execute the following both commands to disable TLS 1.0 for Client and Server separately. Since I have no right to access private keyfile, of course they failed. Could you please correct me if the command format is fine? I then will assign them to senior colleague to execute. >>> $ openssl s_server -no_tls1 -key keyfile -cert certname $ openssl s_client -no_tls1 -key keyfile [-cert certname] >> >> The format for s_server is fine. There is no need to supply the -key and -cert options to s_client unless you are wanting to test client authentication. >> >> However, I'm still not convinced you have understood what these commands actually do. They will create a test server, and a initiate a test client to connect to it respectively - and will disable TLSv1.0 for those instances only. Typically you would only do this with test keys/certs not with production keys/certs. It will have no impact on any other servers/clients running in your environment. >> >> Matt >> >>> Thanks. >>> Chobin >>> -----邮件原件----- >>> 发件人: openssl-users-bounces@xxxxxxxxxxx [mailto:openssl-users-bounces@xxxxxxxxxxx] 代表 Matt Caswell ... >> >> >> >> > > -- > Regards, > Hubert Kario > Senior Quality Engineer, QE BaseOS Security team > Web: www.cz.redhat.com > Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
