On Mon, Apr 05, 1999 at 02:49:59PM -0700, Roland Mechler wrote:
> I haven't seen a reply to this one, so here goes. I'm not clear on
> whether this is a bug or not. I haven't had a really close look at
> the code, but I think the issue is that the SSLv3 method won't
> accept Version 2.0 client hello messages. I think it *ought* to,
> but the specs aren't entirely clear on it. [...] excerpts:
> SSL 3.0:
> [...] Version 3.0 servers should accept either
> client hello format.
> TLS 1.0:
> [...] TLS servers should accept
> either client hello format if they wish to support SSL 2.0 clients on
> the same connection port.
[...]
> But, a TLS server which decided not to accept Version 2.0 client hellos
> wouldn't be able to support TLS clients that also support SSL 2.0 (because,
> as the spec states, TLS clients which support SSL 2.0 *must* send
> Version 2.0 client hellos).
>
> Any comments?
While this is true, the SSLeay/OpenSSL behaviour makes sense in that
the SSL 3 or TLS 1.0 methods accept just there specific protocols.
When compatibility with SSL 2 client hello messages is desired (which,
as you note, can be the case even if SSL 2 is not accepted), one has
to use the ssl23 stuff -- one still can disable SSL 2 (or both SSL 2
and SSL 3). For example, "openssl s_server -no_ssl2 -no_ssl3" forces
the use of TLS, but accepts the SSL 2 client hello format (which
"openssl s_server -tls1" does not).
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]