> SSL_CTX_set_options, should I indicate protocols using this function?. Before you do that, please realize TLS 1.0 is the least broken of the protocols you are trying to enable. You really want all TLS 1.2 clients, but its not widely implemented in clients and servers. I can tell you that a number of organizations will not want an SSL2/SSL3 clients accessing their corporate data.
Differences Between SSLv2, SSLv3, and TLS, www.yaksman.org/~lweith/ssl.pdf Analysis of the SSL 3.0 Protocol, www.schneier.com/paper-ssl.html. Jeff On Mon, Oct 29, 2012 at 10:27 AM, Bhat, Jayalakshmi Manjunath <jayalakshmi.b...@hp.com> wrote: > Hi Charles, > > Thank you for the reply. I am not setting any option using > SSL_CTX_set_options, should I indicate protocols using this function?. > > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Charles Mills > Sent: Monday, October 29, 2012 7:40 PM > To: openssl-users@openssl.org > Subject: RE: Need inputs/suggestions on SSL/TLS protocol version fallback > mechanism. > > Do you call SSL_CTX_set_options() with bit flags (SSL_OP_ALL, > SSL_OP_NO_SSLv3, etc.) to indicate the protocols you are willing to accept? > > BTW, openssl-users (not –dev) is the proper forum for this sort of > questions. > > From: owner-openssl-us...@openssl.org > [mailto:owner-openssl-us...@openssl.org] On Behalf Of Bhat, Jayalakshmi > Manjunath > Sent: Monday, October 29, 2012 5:27 AM > To: openssl-...@openssl.org; openssl-users@openssl.org > Subject: Need inputs/suggestions on SSL/TLS protocol version fallback > mechanism. > > I have a client application that uses SSL23_client_method(). When the client > is getting connected to server that supports TLS 1.0 there are no issues. > When the client is getting connected to server that supports only SSLv3.0, > connection is getting aborted with protocol number error. > > I have couple of question around this issue. > > 1. If I like to support the fallback mechanism, I need to implement > the same in the client application. SSL client state machine in OpenSSL does > not implement any fallback. > > 2. I did not see any recommendation in SSL/TLS RFC to implement the > fallback mechanism. I wanted to know are there any side effects in OpenSSL > library if fallback mechanism is implemented. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
