On 2011-01-30 11:48 PDT, Wan-Teh Chang wrote: > On Sun, Jan 30, 2011 at 1:32 AM, Nelson B Bolyard <nel...@bolyard.me> wrote: >> Firefox doesn't send TLS client hellos to servers that fail to >> complete ANY handshake with ANY version of SSL or TLS some number of >> times in a row when it has tried sending TLS client hellos. Once it >> decides the server is incompatible with TLS client hellos, it stops >> trying to do that and falls back on some OLD OLD behavior where it >> sends SSL 3.0 client hellos encapsulated in SSL 2 records. They're >> actually SSL3 hellos, but the point is that the server has failed too >> many times. > > Here is the fallback code (in Firefox 3.0.x) that Nelson mentioned: > > http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/manager/ssl/src/nsNSSIOLayer.cpp&rev=1.166&mark=3134-3135,3145-3154#3134
> I think it is fine to delete the SSL_OptionSet(fd, > SSL_V2_COMPATIBLE_HELLO, PR_TRUE) call now. Agreed, we should do this for ... probably too late now ... for FF4. Maybe 4.01 ? -- /Nelson Bolyard -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto