In message <[EMAIL PROTECTED]> on Wed, 8 Oct 2003 00:30:34 -0400, Geoff Thorpe <[EMAIL
PROTECTED]> said:
geoff> Which reminds me, I'm not sure yet about my last post's
geoff> comments on this "sslv3/tlsv1 methods can't internegotiate"
geoff> stuff - I'm less sure now of what I was seeing than I was when
geoff> I was seeing it.
In the OpenSSL implementation, that does seem to be true.
geoff> However I still leave my other comments from that post up as
geoff> open questions; in particular, I'm still wondering how an
geoff> attacker could be prevented from rewriting SSLv2-compatible
geoff> ClientHellos as v2-only and getting away with it.
I doubt an attacker can be prevented from doing that. After all, the
returned ServerHello will (or will not) confirm that v2 is the
protocol they will run. I personally believe that accepting SSLv2 is
a mistake. Do you mean that we should remove SSLv2 support from
OpenSSL? I would welcome that, but considering there are still
SSLv2-only servers out there (!!!), I'm not sure what the impact would
be for us, support-wise.
However, my topic here isn't about SSLv2. My focus is much more on
SSLv3 and TLSv1 interoperability (and whenever that comes out, TLSv1.1
should be included in that group as well).
geoff> I need to look closer at this too but I have a suspicion that
geoff> the vtable-gymnastics in the v23 wrapper might need to be
geoff> replicated for v31. Ie. perhaps we'll need a new
geoff> negotiator-method just for versions with major number 0x03?
geoff> Then again, perhaps this is already "there" but I just don't
geoff> see it yet ... :-)
It looked like something of that sort is there already, but I'm still
pretty new at reading the ssl/ code...
I'd like there to be a much more general wrapper. It looks like the
current one is mostly built to allow the SSLv2-compatibility mode and
not much more (hence the name SSLv23). A more general wrapper would
be able to have any suitable version of SSL/TLS interoperate,
including future versions of TLS. Maybe there are already things in
place to do that, but I sure haven't been able to make them talk with
each other, yet.
--
Richard Levitte \ Tunnlandsvägen 3 \ [EMAIL PROTECTED]
[EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-8-26 52 47
\ SWEDEN \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
