Client can't negotiate with TLS 1.0 and 1.1

Lukas Tribus lukas at ltri.eu
Thu Aug 25 19:30:21 UTC 2022


Hello,


the *client* you are using to test this is just as important. Adjust
CipherString in /etc/ssl/openssl.cnf or the client parameters (-cipher
"DEFAULT:@SECLEVEL=0") too.

~# grep SEC /etc/ssl/openssl.cnf
CipherString = DEFAULT:@SECLEVEL=2
~#
~# openssl s_client -connect www.google.com:443 -tls1
CONNECTED(00000003)
804BDAE0FF7E0000:error:0A0000BF:SSL routines:tls_setup_handshake:no
protocols available:../ssl/statem/statem_lib.c:104:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 7 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
~# openssl s_client -connect www.google.com:443 -tls1 -cipher
"DEFAULT:@SECLEVEL=0"
CONNECTED(00000003)
depth=2 C = US, O = Google Trust Services LLC, CN = GTS Root R1
verify return:1
depth=1 C = US, O = Google Trust Services LLC, CN = GTS CA 1C3
verify return:1
depth=0 CN = www.google.com
verify return:1
[...]



cheers,
lukas



More information about the nginx mailing list