Hi Hubert, Sorry for unclear description. I just want to disable TLS 1.0 on Redhat Linux server. After run those both commands, then how to take them effect or no need any. May I have your more advice?
Chobin > 在 2020年3月17日,19:10,Hubert Kario <hka...@redhat.com> 写道: > >> On Tuesday, 17 March 2020 10:04:34 CET, guoxiaobi...@163.com wrote: >> Hi Matt, >> >> I have asked senior colleague for running the following commands on Redhat >> Linux server. >> $ openssl s_server -no_tls1 -key keyfile -cert certname >> $ openssl s_client -no_tls1 >> >> May I know any actions will make them take effect after run? > > `openssl s_client` and `openssl s_server` are debugging tools > > any command line options passed to them affect only those tools > > it will not affect apache, curl, nginx, or any other application that uses > the openssl library > > Please contact Red Hat support on how to configure specific servers or > clients. > You may also find the information you're looking for in the Red Hat Customer > Portal: > https://access.redhat.com/articles/1462183 > > >> -----邮件原件----- >> 发件人: Matt Caswell <m...@openssl.org> 发送时间: 2020年3月4日 19:41 >> 收件人: guoxiaobi...@163.com; openssl-users@openssl.org >> 抄送: erik.y.h.li...@hsbc.com.cn; damont...@hangseng.com >> 主题: Re: <Please advise> Ues 'openssl s_server command' to disable TLS1.0 >> >> >> >>> On 04/03/2020 08:31, guoxiaobi...@163.com wrote: >>> Thanks Matt, >>> As your advice, I tried to execute the following both commands to disable >>> TLS 1.0 for Client and Server separately. Since I have no right to access >>> private keyfile, of course they failed. Could you please correct me if the >>> command format is fine? I then will assign them to senior colleague to >>> execute. >>> $ openssl s_server -no_tls1 -key keyfile -cert certname $ openssl s_client >>> -no_tls1 -key keyfile [-cert certname] >> >> The format for s_server is fine. There is no need to supply the -key and >> -cert options to s_client unless you are wanting to test client >> authentication. >> >> However, I'm still not convinced you have understood what these commands >> actually do. They will create a test server, and a initiate a test client to >> connect to it respectively - and will disable TLSv1.0 for those instances >> only. Typically you would only do this with test keys/certs not with >> production keys/certs. It will have no impact on any other servers/clients >> running in your environment. >> >> Matt >> >>> Thanks. >>> Chobin >>> -----邮件原件----- >>> 发件人: openssl-users-boun...@openssl.org >>> [mailto:openssl-users-boun...@openssl.org] 代表 Matt Caswell ... >> >> >> >> > > -- > Regards, > Hubert Kario > Senior Quality Engineer, QE BaseOS Security team > Web: www.cz.redhat.com > Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
