--tls-max doesn't always have an effect #2571

bagder opened this Issue May 14, 2018 · 0 comments


None yet
1 participant

bagder commented May 14, 2018

(via byte_bucket on IRC)

I did this

curl -v -I --tls-max 1.0 https://example.com

I expected the following

That the connection would only allow TLS 1.0 and no later TLS version. But this negotiates TLS 1.2 just fine.

However, if I also add --tlsv1.0 to the command line, it behaves as expected and gets a TLS 1.0 connection:

curl -v -I --tls-max 1.0 --tlsv1.0 https://example.com

curl/libcurl version

git master (7.60.0-DEV) using the OpenSSL backend (this is most likely very dependent on the specific TLS backend in use)

operating system

All, but I reproduced on Linux.

@bagder bagder added the SSL/TLS label May 14, 2018

bagder added a commit that referenced this issue May 15, 2018

openssl: acknowledge --tls-max for default version too
... previously it only used the max setting if a TLS version was also
explicitly asked for.

Fixes #2571
Reported-by: byte_bucket

@bagder bagder closed this in c5fe868 May 17, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment