Hello, > >>>> It seems the OpenSSL TLS server, when forced to use TLSv1, > >>>> shuts down the connection immediately after receiving a > >>>> ClientHello with major version number not equal to 0x03. > >>>> Nothing was sent to the client to notify the error. > >>>> > >>> What could be sent to the client to notify it of the error? Since the > >>> server > >>> was forced to speak TLSv1, and all evidence suggests the client does not > >>> speak TLSv1, what format should the error notification take? > >>> > >> Depends. > >> If SSL3-only client connects to TLS1-only > >> server then SSL3 alert message will be sent to client (by server). > >> > > > > > >> If SSL2 handshake is sent by client to server (with SSL3/TLS1 > >> proposition or not) TCP socket will be closed by server. > >> > > This statement is for OpenSSL only, but after looking at that > > second time I think that this is bug. > > Why TLS1 proposition is rejected when sent in SSL2 client_hello packet > > and TCP connection is closed (instead of sending alert message) ? > > SSL2 client_hello is compatibility method here. > > This connections should not be closed but established in TLS1 mode. > > > > In GNUTLS this works ok and in any case (SSL2/SSL3/TLS1/TLS11) proper > > alert message is returned to client > This technique is supported in OpenSSL as well, you just have to configure > it in a different way. Use the "sslv23_method" which will accept all > protocols > and use the SSL_OP_NO_SSLv2 etc options with SSL_set_options() to restrict > the protocols so that only TLSv1 is supported. > If you choose the tlsv1_method, you explictly choose to not accept the > compatible handshanking. Yes, I know, but in GNUTLS even that I select only TLS1.0 (in GNUTLS naming) on server, SSL2 handshake with TLS1 proposition is successful. (ending with TLS1 connection). I think that this is ok.
Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
