In message <[EMAIL PROTECTED]> on Wed, 8 Oct 2003 00:30:34 -0400, Geoff Thorpe <[EMAIL PROTECTED]> said:
geoff> Which reminds me, I'm not sure yet about my last post's geoff> comments on this "sslv3/tlsv1 methods can't internegotiate" geoff> stuff - I'm less sure now of what I was seeing than I was when geoff> I was seeing it. In the OpenSSL implementation, that does seem to be true. geoff> However I still leave my other comments from that post up as geoff> open questions; in particular, I'm still wondering how an geoff> attacker could be prevented from rewriting SSLv2-compatible geoff> ClientHellos as v2-only and getting away with it. I doubt an attacker can be prevented from doing that. After all, the returned ServerHello will (or will not) confirm that v2 is the protocol they will run. I personally believe that accepting SSLv2 is a mistake. Do you mean that we should remove SSLv2 support from OpenSSL? I would welcome that, but considering there are still SSLv2-only servers out there (!!!), I'm not sure what the impact would be for us, support-wise. However, my topic here isn't about SSLv2. My focus is much more on SSLv3 and TLSv1 interoperability (and whenever that comes out, TLSv1.1 should be included in that group as well). geoff> I need to look closer at this too but I have a suspicion that geoff> the vtable-gymnastics in the v23 wrapper might need to be geoff> replicated for v31. Ie. perhaps we'll need a new geoff> negotiator-method just for versions with major number 0x03? geoff> Then again, perhaps this is already "there" but I just don't geoff> see it yet ... :-) It looked like something of that sort is there already, but I'm still pretty new at reading the ssl/ code... I'd like there to be a much more general wrapper. It looks like the current one is mostly built to allow the SSLv2-compatibility mode and not much more (hence the name SSLv23). A more general wrapper would be able to have any suitable version of SSL/TLS interoperate, including future versions of TLS. Maybe there are already things in place to do that, but I sure haven't been able to make them talk with each other, yet. -- Richard Levitte \ Tunnlandsvägen 3 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]