On Mon, Apr 05, 1999 at 02:49:59PM -0700, Roland Mechler wrote:

> I haven't seen a reply to this one, so here goes. I'm not clear on
> whether this is a bug or not. I haven't had a really close look at
> the code, but I think the issue is that the SSLv3 method won't
> accept Version 2.0 client hello messages.  I think it *ought* to,
> but the specs aren't entirely clear on it. [...] excerpts:
> SSL 3.0:
>                            [...] Version 3.0 servers should accept either
>   client hello format.
> TLS 1.0:
>                                       [...] TLS servers should accept
>   either client hello format if they wish to support SSL 2.0 clients on
>   the same connection port.
[...]
> But, a TLS server which decided not to accept Version 2.0 client hellos
> wouldn't be able to support TLS clients that also support SSL 2.0 (because,
> as the spec states, TLS clients which support SSL 2.0 *must* send
> Version 2.0 client hellos).
> 
> Any comments?

While this is true, the SSLeay/OpenSSL behaviour makes sense in that
the SSL 3 or TLS 1.0 methods accept just there specific protocols.
When compatibility with SSL 2 client hello messages is desired (which,
as you note, can be the case even if SSL 2 is not accepted), one has
to use the ssl23 stuff -- one still can disable SSL 2 (or both SSL 2
and SSL 3).  For example, "openssl s_server -no_ssl2 -no_ssl3" forces
the use of TLS, but accepts the SSL 2 client hello format (which
"openssl s_server -tls1" does not).
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to