On Wed, Oct 29, 2014 at 4:16 AM, Yann Ylavic <ylavic....@gmail.com> wrote: > Actually I tested the above with my earlier patch (slightly modified > to initialize "ANY" with SSL_PROTOCOL_ALL|SSL_PROTOCOL_ANY instead of > SSL_PROTOCOL_ANY alone) and it seems to work. > > With OpenSSL 0.9.8o (debian squeeze) : > - openssl s_client using SSLv23 connects with SSLv2Hello and httpd > handshakes correctly with TLSv1, > - openssl s_client using TLSv1 connects with SSLv3Hello (version > TLSv1) and httpd handshakes correctly with TLSv1, > - openssl s_client using SSLv3 connects with SSLv3Hello (version > SSLv3) and httpd refuses to handshake.
Forgot to mention the OP reproducer, that is with "SSLProtocol ALL -SSLv3" (with or without the patch), both SSLv2Hello and SSLv3Hello (version SSLv3) are refused by httpd. > > Regards, > Yann.