On Fri, Sep 08, 2000 at 11:10:23AM +0800, Fung wrote:
> Do anyone know what is the diff. between SSLv2_method and
> SSLv23_method?? Once I used SSLv23_method to create SSL_CTX for my
> client program, handshake failure returned when connected to some
> web server. When I changed to use SSLv2_method to create SSL_CTX, no
> problem at all.
SSLv2_method allows only the old, defective SSL 2.0 protocol.
SSLv23_method enables automatic protocol version negotiation,
which may lead to use of SSL 2.0, SSL 3.0, or TLS 1.0, depending
on which protocol versions are supported by the peer.
There are still some buggy servers that will fail a client tries
to connect this way. Instead of resorting to SSLv2_method,
try using the SSL_OP_NO_TLSv1 flag to negotiate an SSL 3.0 session
(SSL 3.0 is a lot better than SSL 2.0); this may work.
You can use s_client withe the '-no_tls1' option to test this.
Note that SSLv2_method will fail for some servers because they
no longer support SSL 2.0 (and stopping to support it is a good
thing because of its deficiencies). I suggest using
SSLv23_method without SSL_OP_NO_TLSv1 in a first connection attempt;
if this fails, try using the SSL_OP_NO_TLSv1 flag in a second
connection attempt (or try SSLv3_method; some servers may even
require TLSv1_method, but noone uses those :-).
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
