Forum Discussion
jwlarger
Cirrus
CirrusOptions No TLSv1 and No TLSv1.1 set but curl still shows curl .. -tls1 connects
The virtual server in questions tests appropriately (only TLS v1.2) via testssl.sh and the ssllabs.com tool. So why does curl -tls1 show connected?
openssl s_client -connect abc.def.com:443 -tls1
CONNECTED(00000003)
spalandeNacreous
-connect option first makes TCP connection on port 443 (default) if host port is not defined. Before every TLS handhsake, TCP connection is made. So you would see CONNECTED as 443 TCP connection is open.
you can use -msg in the command and you will see immediately after CLIENT_HELLO the connection is getting reset, failing TLS handshake which proves TLS1 is disabled.
eg.
openssl s_client -connect www.example.com:443 -tls1 -msg CONNECTED(00000004) >>> ??? [length 0005] 16 03 01 00 79 >>> TLS 1.0, Handshake [length 0079], ClientHello 01 00 00 75 03 01 82 43 99 b4 95 de 40 94 7a 73 44 8c aa e9 92 2e 65 ad 84 a2 3d 66 1e e8 1a d7 ce ed 6b 1b 0d 67 00 00 12 c0 0a c0 14 c0 09 c0 13 00 35 00 2f 00 39 00 33 00 ff 01 00 00 3a 00 00 00 12 00 10 00 00 0d 77 77 77 2e 61 65 67 6f 6e 2e 63 6f 6d 00 0b 00 04 03 00 01 02 00 0a 00 0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 23 00 00 00 16 00 00 00 17 00 00 write:errno=0 --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 126 bytes Verification: OK --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1 Cipher : 0000 Session-ID: Session-ID-ctx: Master-Key: PSK identity: None PSK identity hint: None SRP username: None Start Time: 1639142869 Timeout : 7200 (sec) Verify return code: 0 (ok) Extended master secret: no ---Try same command with tls1_2 option and you will successful TLS hanshake taking place along with certficate details.
You can read more in below link