<Please advise> Ues 'openssl s_server command' to disable TLS1.0

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

<Please advise> Ues 'openssl s_server command' to disable TLS1.0

guoxiaobinni

Dear All,

 

I hit the following error when used ‘openssl s_server -no_tls1’ command to disable TLS1.0 on Redhat Linux server. It shows the openssl version as well.

 

----------------------------------------------------------------------------------------------------------------------------------------------------

$ openssl version

OpenSSL 1.0.1e-fips 11 Feb 2013

$ openssl s_server –no_tls1

Error opening server certificate private key file server.pem

140057863432008:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen(‘server.pem’,’r’)

140057863432008:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:

unable to load server certificate private key file

-----------------------------------------------------------------------------------------------------------------------------------------------------

 

I can’t confirm if the command format is fine or not. Would you please help to correct me?

 

Thanks and Regards,

Chobin Guo

Reply | Threaded
Open this post in threaded view
|

Re: <Please advise> Ues 'openssl s_server command' to disable TLS1.0

Matt Caswell-2


On 03/03/2020 07:48, [hidden email] wrote:
> Dear All,
>
>  
>
> I hit the following error when used ‘openssl s_server -no_tls1’ command
> to disable TLS1.0 on Redhat Linux server.

Your question is slightly ambiguous. It implies you expect the command
to disable TLSv1.0 for all applications on your server. If that is what
you meant then you will be disappointed. "openssl s_server" runs a test
server to enable testing TLS connections from clients. The "-no_tls1"
option disables TLSv1.0 for that test server instance only.

If you really mean to start a test server then you need to additionally
supply a key and certificate file. By default s_server will look for the
key/cert in the file server.pem in the current working directory.
Otherwise you have to explicitly state the location of these files with
the "-key" and "-cert" options.

Matt



> It shows the openssl version
> as well.
>
>  
>
> ----------------------------------------------------------------------------------------------------------------------------------------------------
>
> $ openssl version
>
> OpenSSL 1.0.1e-fips 11 Feb 2013
>
> $ openssl s_server –no_tls1
>
> Error opening server certificate private key file server.pem
>
> 140057863432008:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:398:fopen(‘server.pem’,’r’)
>
> 140057863432008:error:20074002:BIO routines:FILE_CTRL:system
> lib:bss_file.c:400:
>
> unable to load server certificate private key file
>
> -----------------------------------------------------------------------------------------------------------------------------------------------------
>
>  
>
> I can’t confirm if the command format is fine or not. Would you please
> help to correct me?
>
>  
>
> Thanks and Regards,
>
> Chobin Guo
>
Reply | Threaded
Open this post in threaded view
|

RE: <Please advise> Ues 'openssl s_server command' to disable TLS1.0

guoxiaobinni
In reply to this post by guoxiaobinni
Thanks Matt,

As your advice, I tried to execute the following both commands to disable TLS 1.0 for Client and Server separately. Since I have no right to access private keyfile, of course they failed. Could you please correct me if the command format is fine? I then will assign them to senior colleague to execute.

$ openssl s_server -no_tls1 -key keyfile -cert certname
$ openssl s_client -no_tls1 -key keyfile [-cert certname]

Thanks.
Chobin

-----邮件原件-----
发件人: [hidden email] [mailto:[hidden email]] 代表 Matt Caswell
发送时间: 2020年3月3日 18:51
收件人: [hidden email]
主题: Re: <Please advise> Ues 'openssl s_server command' to disable TLS1.0



On 03/03/2020 07:48, [hidden email] wrote:
> Dear All,
>
>  
>
> I hit the following error when used ‘openssl s_server -no_tls1’ command
> to disable TLS1.0 on Redhat Linux server.

Your question is slightly ambiguous. It implies you expect the command
to disable TLSv1.0 for all applications on your server. If that is what
you meant then you will be disappointed. "openssl s_server" runs a test
server to enable testing TLS connections from clients. The "-no_tls1"
option disables TLSv1.0 for that test server instance only.

If you really mean to start a test server then you need to additionally
supply a key and certificate file. By default s_server will look for the
key/cert in the file server.pem in the current working directory.
Otherwise you have to explicitly state the location of these files with
the "-key" and "-cert" options.

Matt



> It shows the openssl version
> as well.
>
>  
>
> ----------------------------------------------------------------------------------------------------------------------------------------------------
>
> $ openssl version
>
> OpenSSL 1.0.1e-fips 11 Feb 2013
>
> $ openssl s_server –no_tls1
>
> Error opening server certificate private key file server.pem
>
> 140057863432008:error:02001002:system library:fopen:No such file or
> directory:bss_file.c:398:fopen(‘server.pem’,’r’)
>
> 140057863432008:error:20074002:BIO routines:FILE_CTRL:system
> lib:bss_file.c:400:
>
> unable to load server certificate private key file
>
> -----------------------------------------------------------------------------------------------------------------------------------------------------
>
>  
>
> I can’t confirm if the command format is fine or not. Would you please
> help to correct me?
>
>  
>
> Thanks and Regards,
>
> Chobin Guo
>


Reply | Threaded
Open this post in threaded view
|

Re: <Please advise> Ues 'openssl s_server command' to disable TLS1.0

Matt Caswell-2


On 04/03/2020 08:31, [hidden email] wrote:
> Thanks Matt,
>
> As your advice, I tried to execute the following both commands to disable TLS 1.0 for Client and Server separately. Since I have no right to access private keyfile, of course they failed. Could you please correct me if the command format is fine? I then will assign them to senior colleague to execute.
>
> $ openssl s_server -no_tls1 -key keyfile -cert certname
> $ openssl s_client -no_tls1 -key keyfile [-cert certname]

The format for s_server is fine. There is no need to supply the -key and
-cert options to s_client unless you are wanting to test client
authentication.

However, I'm still not convinced you have understood what these commands
actually do. They will create a test server, and a initiate a test
client to connect to it respectively - and will disable TLSv1.0 for
those instances only. Typically you would only do this with test
keys/certs not with production keys/certs. It will have no impact on any
other servers/clients running in your environment.

Matt

>
> Thanks.
> Chobin
>
> -----邮件原件-----
> 发件人: [hidden email] [mailto:[hidden email]] 代表 Matt Caswell
> 发送时间: 2020年3月3日 18:51
> 收件人: [hidden email]
> 主题: Re: <Please advise> Ues 'openssl s_server command' to disable TLS1.0
>
>
>
> On 03/03/2020 07:48, [hidden email] wrote:
>> Dear All,
>>
>>  
>>
>> I hit the following error when used ‘openssl s_server -no_tls1’ command
>> to disable TLS1.0 on Redhat Linux server.
>
> Your question is slightly ambiguous. It implies you expect the command
> to disable TLSv1.0 for all applications on your server. If that is what
> you meant then you will be disappointed. "openssl s_server" runs a test
> server to enable testing TLS connections from clients. The "-no_tls1"
> option disables TLSv1.0 for that test server instance only.
>
> If you really mean to start a test server then you need to additionally
> supply a key and certificate file. By default s_server will look for the
> key/cert in the file server.pem in the current working directory.
> Otherwise you have to explicitly state the location of these files with
> the "-key" and "-cert" options.
>
> Matt
>
>
>
>> It shows the openssl version
>> as well.
>>
>>  
>>
>> ----------------------------------------------------------------------------------------------------------------------------------------------------
>>
>> $ openssl version
>>
>> OpenSSL 1.0.1e-fips 11 Feb 2013
>>
>> $ openssl s_server –no_tls1
>>
>> Error opening server certificate private key file server.pem
>>
>> 140057863432008:error:02001002:system library:fopen:No such file or
>> directory:bss_file.c:398:fopen(‘server.pem’,’r’)
>>
>> 140057863432008:error:20074002:BIO routines:FILE_CTRL:system
>> lib:bss_file.c:400:
>>
>> unable to load server certificate private key file
>>
>> -----------------------------------------------------------------------------------------------------------------------------------------------------
>>
>>  
>>
>> I can’t confirm if the command format is fine or not. Would you please
>> help to correct me?
>>
>>  
>>
>> Thanks and Regards,
>>
>> Chobin Guo
>>
>
>
Reply | Threaded
Open this post in threaded view
|

回复: <Please advise> Ues 'openssl s_server command' to disable TLS1.0

guoxiaobinni
Hi Matt,

I have asked senior colleague for running the following commands on Redhat Linux server.
$ openssl s_server -no_tls1 -key keyfile -cert certname
$ openssl s_client -no_tls1

May I know any actions will make them take effect after run?

-----邮件原件-----
发件人: Matt Caswell <[hidden email]>
发送时间: 2020年3月4日 19:41
收件人: [hidden email]; [hidden email]
抄送: [hidden email]; [hidden email]
主题: Re: <Please advise> Ues 'openssl s_server command' to disable TLS1.0



On 04/03/2020 08:31, [hidden email] wrote:
> Thanks Matt,
>
> As your advice, I tried to execute the following both commands to disable TLS 1.0 for Client and Server separately. Since I have no right to access private keyfile, of course they failed. Could you please correct me if the command format is fine? I then will assign them to senior colleague to execute.
>
> $ openssl s_server -no_tls1 -key keyfile -cert certname $ openssl
> s_client -no_tls1 -key keyfile [-cert certname]

The format for s_server is fine. There is no need to supply the -key and -cert options to s_client unless you are wanting to test client authentication.

However, I'm still not convinced you have understood what these commands actually do. They will create a test server, and a initiate a test client to connect to it respectively - and will disable TLSv1.0 for those instances only. Typically you would only do this with test keys/certs not with production keys/certs. It will have no impact on any other servers/clients running in your environment.

Matt

>
> Thanks.
> Chobin
>
> -----邮件原件-----
> 发件人: [hidden email]
> [mailto:[hidden email]] 代表 Matt Caswell
> 发送时间: 2020年3月3日 18:51
> 收件人: [hidden email]
> 主题: Re: <Please advise> Ues 'openssl s_server command' to disable
> TLS1.0
>
>
>
> On 03/03/2020 07:48, [hidden email] wrote:
>> Dear All,
>>
>>  
>>
>> I hit the following error when used ‘openssl s_server -no_tls1’
>> command to disable TLS1.0 on Redhat Linux server.
>
> Your question is slightly ambiguous. It implies you expect the command
> to disable TLSv1.0 for all applications on your server. If that is
> what you meant then you will be disappointed. "openssl s_server" runs
> a test server to enable testing TLS connections from clients. The "-no_tls1"
> option disables TLSv1.0 for that test server instance only.
>
> If you really mean to start a test server then you need to
> additionally supply a key and certificate file. By default s_server
> will look for the key/cert in the file server.pem in the current working directory.
> Otherwise you have to explicitly state the location of these files
> with the "-key" and "-cert" options.
>
> Matt
>
>
>
>> It shows the openssl version
>> as well.
>>
>>  
>>
>> ---------------------------------------------------------------------
>> ---------------------------------------------------------------------
>> ----------
>>
>> $ openssl version
>>
>> OpenSSL 1.0.1e-fips 11 Feb 2013
>>
>> $ openssl s_server –no_tls1
>>
>> Error opening server certificate private key file server.pem
>>
>> 140057863432008:error:02001002:system library:fopen:No such file or
>> directory:bss_file.c:398:fopen(‘server.pem’,’r’)
>>
>> 140057863432008:error:20074002:BIO routines:FILE_CTRL:system
>> lib:bss_file.c:400:
>>
>> unable to load server certificate private key file
>>
>> ---------------------------------------------------------------------
>> ---------------------------------------------------------------------
>> -----------
>>
>>  
>>
>> I can’t confirm if the command format is fine or not. Would you
>> please help to correct me?
>>
>>  
>>
>> Thanks and Regards,
>>
>> Chobin Guo
>>
>
>


Reply | Threaded
Open this post in threaded view
|

Re: 回复: <Please advise> Ues 'openssl s_server command' to disable TLS1.0

Hubert Kario
On Tuesday, 17 March 2020 10:04:34 CET, [hidden email] wrote:
> Hi Matt,
>
> I have asked senior colleague for running the following
> commands on Redhat Linux server.
> $ openssl s_server -no_tls1 -key keyfile -cert certname
> $ openssl s_client -no_tls1
>
> May I know any actions will make them take effect after run?

`openssl s_client` and `openssl s_server` are debugging tools

any command line options passed to them affect only those tools

it will not affect apache, curl, nginx, or any other application that uses
the openssl library

Please contact Red Hat support on how to configure specific servers or
clients.
You may also find the information you're looking for in the Red Hat
Customer
Portal:
https://access.redhat.com/articles/1462183


> -----邮件原件-----
> 发件人: Matt Caswell <[hidden email]>
> 发送时间: 2020年3月4日 19:41
> 收件人: [hidden email]; [hidden email]
> 抄送: [hidden email]; [hidden email]
> 主题: Re: <Please advise> Ues 'openssl s_server command' to disable TLS1.0
>
>
>
> On 04/03/2020 08:31, [hidden email] wrote:
>> Thanks Matt,
>>
>> As your advice, I tried to execute the following both commands
>> to disable TLS 1.0 for Client and Server separately. Since I
>> have no right to access private keyfile, of course they failed.
>> Could you please correct me if the command format is fine? I
>> then will assign them to senior colleague to execute.
>>
>> $ openssl s_server -no_tls1 -key keyfile -cert certname $ openssl
>> s_client -no_tls1 -key keyfile [-cert certname]
>
> The format for s_server is fine. There is no need to supply the
> -key and -cert options to s_client unless you are wanting to
> test client authentication.
>
> However, I'm still not convinced you have understood what these
> commands actually do. They will create a test server, and a
> initiate a test client to connect to it respectively - and will
> disable TLSv1.0 for those instances only. Typically you would
> only do this with test keys/certs not with production
> keys/certs. It will have no impact on any other servers/clients
> running in your environment.
>
> Matt
>
>> Thanks.
>> Chobin
>>
>> -----邮件原件-----
>> 发件人: [hidden email]
>> [mailto:[hidden email]] 代表 Matt Caswell ...
>
>
>
>

--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic

Reply | Threaded
Open this post in threaded view
|

Re: 回复: <Please advise> Ues 'openssl s_server command' to disable TLS1.0

guoxiaobinni
Hi Hubert,

Sorry for unclear description. I just want to disable TLS 1.0 on Redhat Linux server. After run those both commands, then how to take them effect or no need any. May I have your more advice?

Chobin

> 在 2020年3月17日,19:10,Hubert Kario <[hidden email]> 写道:
>
>> On Tuesday, 17 March 2020 10:04:34 CET, [hidden email] wrote:
>> Hi Matt,
>>
>> I have asked senior colleague for running the following commands on Redhat Linux server.
>> $ openssl s_server -no_tls1 -key keyfile -cert certname
>> $ openssl s_client -no_tls1
>>
>> May I know any actions will make them take effect after run?
>
> `openssl s_client` and `openssl s_server` are debugging tools
>
> any command line options passed to them affect only those tools
>
> it will not affect apache, curl, nginx, or any other application that uses
> the openssl library
>
> Please contact Red Hat support on how to configure specific servers or clients.
> You may also find the information you're looking for in the Red Hat Customer
> Portal:
> https://access.redhat.com/articles/1462183
>
>
>> -----邮件原件-----
>> 发件人: Matt Caswell <[hidden email]> 发送时间: 2020年3月4日 19:41
>> 收件人: [hidden email]; [hidden email]
>> 抄送: [hidden email]; [hidden email]
>> 主题: Re: <Please advise> Ues 'openssl s_server command' to disable TLS1.0
>>
>>
>>
>>> On 04/03/2020 08:31, [hidden email] wrote:
>>> Thanks Matt,
>>> As your advice, I tried to execute the following both commands to disable TLS 1.0 for Client and Server separately. Since I have no right to access private keyfile, of course they failed. Could you please correct me if the command format is fine? I then will assign them to senior colleague to execute.
>>> $ openssl s_server -no_tls1 -key keyfile -cert certname $ openssl s_client -no_tls1 -key keyfile [-cert certname]
>>
>> The format for s_server is fine. There is no need to supply the -key and -cert options to s_client unless you are wanting to test client authentication.
>>
>> However, I'm still not convinced you have understood what these commands actually do. They will create a test server, and a initiate a test client to connect to it respectively - and will disable TLSv1.0 for those instances only. Typically you would only do this with test keys/certs not with production keys/certs. It will have no impact on any other servers/clients running in your environment.
>>
>> Matt
>>
>>> Thanks.
>>> Chobin
>>> -----邮件原件-----
>>> 发件人: [hidden email] [mailto:[hidden email]] 代表 Matt Caswell ...
>>
>>
>>
>>
>
> --
> Regards,
> Hubert Kario
> Senior Quality Engineer, QE BaseOS Security team
> Web: www.cz.redhat.com
> Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic


Reply | Threaded
Open this post in threaded view
|

Re: 回复: <Please advise> Ues 'openssl s_server command' to disable TLS1.0

Hubert Kario
On Tuesday, 17 March 2020 13:02:36 CET, 163 wrote:
> Hi Hubert,
>
> Sorry for unclear description. I just want to disable TLS 1.0
> on Redhat Linux server. After run those both commands, then how
> to take them effect or no need any. May I have your more advice?

there is a language barrier

please contact red hat support: they can talk in Cantonese and Mandarin

see https://access.redhat.com/support/contact/technicalSupport/
or open a new support case here:
https://access.redhat.com/support/cases/new

>> 在 2020年3月17日,19:10,Hubert Kario <[hidden email]> 写道:
>>
>>> On Tuesday, 17 March 2020 10:04:34 CET, [hidden email] wrote:
>>> Hi Matt,
>>>
>>> I have asked senior colleague for running the following
>>> commands on Redhat Linux server.
>>> $ openssl s_server -no_tls1 -key keyfile -cert certname
>>> $ openssl s_client -no_tls1 ...
>>
>> `openssl s_client` and `openssl s_server` are debugging tools
>>
>> any command line options passed to them affect only those tools
>>
>> it will not affect apache, curl, nginx, or any other application that uses
>> the openssl library
>>
>> Please contact Red Hat support on how to configure specific
>> servers or clients.
>> You may also find the information you're looking for in the
>> Red Hat Customer
>> Portal:
>> https://access.redhat.com/articles/1462183
>>
>>
>>> -----邮件原件-----
>>> 发件人: Matt Caswell <[hidden email]> 发送时间: 2020年3月4日 19:41
>>> 收件人: [hidden email]; [hidden email]
>>> 抄送: [hidden email]; [hidden email]
>>> 主题: Re: <Please advise> Ues 'openssl s_server command' to
>>> disable TLS1.0 ...
>>
>> --
>> Regards,
>> Hubert Kario
>> Senior Quality Engineer, QE BaseOS Security team
>> Web: www.cz.redhat.com
>> Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic
>
>
>
>

--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00  Brno, Czech Republic