While retiring legacy encryption, a Linux administrator needs to confirm from the command line that a public web server listening on port 443 will not negotiate TLS 1.1. Which OpenSSL command provides the MOST direct test of this requirement?
The -tls1_1 option forces the client to attempt a handshake using only the TLS 1.1 protocol. If the server has correctly disabled that version, the command will fail to complete the handshake and return an error, proving that TLS 1.1 is no longer accepted. The -no_tls1_1 switch does the opposite-it blocks TLS 1.1 but still allows higher versions, so the connection could succeed and give a false sense of security. Adding -starttls targets a specific application layer (such as HTTP or SMTP) and is unnecessary when the service is already running native TLS on port 443. Specifying unrelated ports or cipher manipulations also fails to provide a focused protocol-version test.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does the `-tls1_1` flag do in the OpenSSL command?
Open an interactive chat with Bash
Why is the `-no_tls1_1` flag less suitable for this test?
Open an interactive chat with Bash
What is the purpose of the `-starttls` option in OpenSSL, and why is it unnecessary here?
Open an interactive chat with Bash
CompTIA Linux+ XK0-006 (V8)
Security
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
IT & Cybersecurity Package Join Premium for Full Access