Re: TLS issues with Opera

Tue, 14 Jan 2003 11:18:16 -0800 

On Tue, Jan 14, 2003 at 06:23:53AM -0800, Tim Regovich wrote:
> I removed opera from the equation, and went to a basic
> setup whereby I was running only s_server and
> s_client.  On the s_server side, I ran using the -tls1
> option which chooses the the TLSv1_server_method call.
>  I also set -no_ssl2, which  in effect does an |=
> SSL_OP_NO_SSLv2. On the client side, I ran s_client
> using no options, and I get a connection error.  
> Running s_client -tls1 and all is well.  
> After looking at the code for the *_server_method
> calls, I tried using only the -no_ssl2 option, which
> uses the default SSLv23_server_method, again setting
> the SSL_OP_NO_SSLv2.  I tried the connection from the
> client side again, using no options, and a new TLSv1
> session is negotiated.
> 
> The negotiation was definetly the issue.  Even though
> I have configured my client to (allegedly) only use
> tls, it is sending the v2 client hello.  However, if
> thsi is the norm, and not the exception, should the
> get_hello function for the TLS method not support the
> v2 client hello and negotiate up to TLS?  I need to
> examine the code a little more closely, but my initial
> concern is that the v23 code has uneccessary code if I
> *know* that the end result will always be a TLS
> session.
> 
> For now, I will use the v23 method call and set the
> OP_NO_SLLv2 and OP_NO_SSLv3 options.

There are not many alternatives. If a client sends out a TLSv1 request,
it will fail with all servers that only offer SSLv2 and the widely
distributed SSLv3. Therefore it is common for a client to send out a
SSLv2 compatible client hello in order to achieve best compatibility.
(A solution would be to try TLSv1, SSLv3 and SSLv2 one after the other,
but for obvious reason there would be a significant price to pay.)

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
http://www.aet.TU-Cottbus.DE/personen/jaenicke/
BTU Cottbus, Allgemeine Elektrotechnik
Universitaetsplatz 3-4, D-03044 Cottbus
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to