Forum Discussion

jwlarger's avatar
jwlarger
Icon for Cirrus rankCirrus
Dec 10, 2021

Options No TLSv1 and No TLSv1.1 set but curl still shows curl .. -tls1 connects

The virtual server in questions tests appropriately (only TLS v1.2) via testssl.sh and the ssllabs.com tool. So why does curl -tls1 show connected?

 

openssl s_client -connect abc.def.com:443 -tls1

CONNECTED(00000003)

  • -connect option first makes TCP connection on port 443 (default) if host port is not defined. Before every TLS handhsake, TCP connection is made. So you would see CONNECTED as 443 TCP connection is open.

     

    you can use -msg in the command and you will see immediately after CLIENT_HELLO the connection is getting reset, failing TLS handshake which proves TLS1 is disabled.

     

    eg.

    openssl s_client -connect  www.example.com:443 -tls1 -msg
    CONNECTED(00000004)
    >>> ??? [length 0005]
        16 03 01 00 79
    >>> TLS 1.0, Handshake [length 0079], ClientHello
        01 00 00 75 03 01 82 43 99 b4 95 de 40 94 7a 73
        44 8c aa e9 92 2e 65 ad 84 a2 3d 66 1e e8 1a d7
        ce ed 6b 1b 0d 67 00 00 12 c0 0a c0 14 c0 09 c0
        13 00 35 00 2f 00 39 00 33 00 ff 01 00 00 3a 00
        00 00 12 00 10 00 00 0d 77 77 77 2e 61 65 67 6f
        6e 2e 63 6f 6d 00 0b 00 04 03 00 01 02 00 0a 00
        0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 23 00
        00 00 16 00 00 00 17 00 00
    write:errno=0
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 126 bytes
    Verification: OK
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    No ALPN negotiated
    SSL-Session:
        Protocol  : TLSv1
        Cipher    : 0000
        Session-ID:
        Session-ID-ctx:
        Master-Key:
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1639142869
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
        Extended master secret: no
    ---

    Try same command with tls1_2 option and you will successful TLS hanshake taking place along with certficate details.

     

    You can read more in below link

     

    https://security.stackexchange.com/questions/169732/using-the-openssl-command-how-can-i-tell-if-its-using-tls-1-0