Marek Marcola wrote:
> Hello,
>
>>>> It seems the OpenSSL TLS server, when forced to use TLSv1,
>>>> shuts down the connection immediately after receiving a
>>>> ClientHello with major version number not equal to 0x03.
>>>> Nothing was sent to the client to notify the error.
>>>>
>>> What could be sent to the client to notify it of the error? Since the server
>>> was forced to speak TLSv1, and all evidence suggests the client does not
>>> speak TLSv1, what format should the error notification take?
>>>
>> Depends.
>> If SSL3-only client connects to TLS1-only
>> server then SSL3 alert message will be sent to client (by server).
>>
>
>
>> If SSL2 handshake is sent by client to server (with SSL3/TLS1
>> proposition or not) TCP socket will be closed by server.
>>
> This statement is for OpenSSL only, but after looking at that
> second time I think that this is bug.
> Why TLS1 proposition is rejected when sent in SSL2 client_hello packet
> and TCP connection is closed (instead of sending alert message) ?
> SSL2 client_hello is compatibility method here.
> This connections should not be closed but established in TLS1 mode.
>
> In GNUTLS this works ok and in any case (SSL2/SSL3/TLS1/TLS11) proper
> alert message is returned to client
This technique is supported in OpenSSL as well, you just have to configure
it in a different way. Use the "sslv23_method" which will accept all
protocols
and use the SSL_OP_NO_SSLv2 etc options with SSL_set_options() to restrict
the protocols so that only TLSv1 is supported.
If you choose the tlsv1_method, you explictly choose to not accept the
compatible handshanking.
Best regards,
Lutz
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
