cancel
Showing results for 
Search instead for 
Did you mean: 

Options No TLSv1 and No TLSv1.1 set but curl still shows curl .. -tls1 connects

jwlarger
Cirrus
Cirrus

The virtual server in questions tests appropriately (only TLS v1.2) via testssl.sh and the ssllabs.com tool. So why does curl -tls1 show connected?

 

openssl s_client -connect abc.def.com:443 -tls1

CONNECTED(00000003)

1 REPLY 1

SanjayP
MVP
MVP

-connect option first makes TCP connection on port 443 (default) if host port is not defined. Before every TLS handhsake, TCP connection is made. So you would see CONNECTED as 443 TCP connection is open.

 

you can use -msg in the command and you will see immediately after CLIENT_HELLO the connection is getting reset, failing TLS handshake which proves TLS1 is disabled.

 

eg.

openssl s_client -connect  www.example.com:443 -tls1 -msg
CONNECTED(00000004)
>>> ??? [length 0005]
    16 03 01 00 79
>>> TLS 1.0, Handshake [length 0079], ClientHello
    01 00 00 75 03 01 82 43 99 b4 95 de 40 94 7a 73
    44 8c aa e9 92 2e 65 ad 84 a2 3d 66 1e e8 1a d7
    ce ed 6b 1b 0d 67 00 00 12 c0 0a c0 14 c0 09 c0
    13 00 35 00 2f 00 39 00 33 00 ff 01 00 00 3a 00
    00 00 12 00 10 00 00 0d 77 77 77 2e 61 65 67 6f
    6e 2e 63 6f 6d 00 0b 00 04 03 00 01 02 00 0a 00
    0c 00 0a 00 1d 00 17 00 1e 00 19 00 18 00 23 00
    00 00 16 00 00 00 17 00 00
write:errno=0
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 126 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1639142869
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

Try same command with tls1_2 option and you will successful TLS hanshake taking place along with certficate details.

 

You can read more in below link

 

https://security.stackexchange.com/questions/169732/using-the-openssl-command-how-can-i-tell-if-its-...