On Mon, Jan 13, 2003 at 01:33:58PM -0800, Tim Regovich wrote:
> I have encountered an interesting problem when trying
> to connect to s_server with Opera, when only TLS is
> enabled in opera. I can only seem to connect to the
> s_server if I :
>
> 1) start s_server -ssl3
> 2) connect to https://localhost
>
> If i try connecting to https://192.168.2.69 (the ip of
> the same machine) I get the following error in
> s_server :
> 24092:error:1408F10B:SSL
> routines:SSL3_GET_RECORD:wrong version
> number:s3_pkt.c:295:
>
> I get teh same error if I run s_server with the -tls1
> option only.
>
> I realize that this may be a problem with Opera, but
> other clients also have problems, like MSN messenger,
> so regardless of the root cause I would like to adress
> this as a workaround in the server.
I am not familiar with Opera and with its default settings.
However: in the normal setup the client sends a SSLv2 client hello
with the additional information, that up to TLSv1 is supported.
The server then chooses the highest protocol available.
If the server only understands SSLv3 or TLSv1 it will not understand
the client hello with symptoms as described. For the server I therefore
would recommend you to rather disable with -no_ssl2 etc. In this case
the server is still able to understand all formats of the client hello
sent, but it will only choose an allowed protocol, probably yielding
the desired result.
Remark 1: If you instruct Opera to only use TLSv1, it would make sense to
directly send a TLSv1 client hello. The symptoms indicate, that it still
sends the SSLv2 compatible client hello.
Remark 2: Use ssldump to verify the assumption made in remark 1.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
