I'm a bit confused on the appropriate protocol versions to use on a ClientHello in my SSL/TLS implementation. (I am using s_server to test my client code.) I say “versions” as there is the record version and the suggested protocol version. Ignoring SSLv2, the initial ClientHello to a server should have a record version of 3.0, as the lowest supported, and 3.3 as the suggested version (or whatever is the highest supported by the client).
RFC 5246 states on page 40 for ClientHello: "client_version The version of the TLS protocol by which the client wishes to communicate during this session. This SHOULD be the latest (highest valued) version supported by the client. For this version of the specification, the version will be 3.3 (see Appendix E for details about backward compatibility)." That's clear and unequivocal--not sure why it is not a MUST, just a SHOULD –I’m guessing this is to allow servers to be more permissive and increase interoperability? In Appendix E there are two interesting statements: "If a TLS server receives a ClientHello containing a version number greater than the highest version supported by the server, it MUST reply according to the highest version supported by the server." So if the client sent 3.3 as the suggested version, I can assume that whatever the server negotiates is the highest version it supports, correct? "Whenever a client already knows the highest protocol version known to a server (for example, when resuming a session), it SHOULD initiate the connection in that native protocol." OK, here is where I am confused. If the server negotiated 3.1, and I am doing session resumption, what protocol versions should I send in the ClientHello to be compliant with the RFC? Should the record version be 3.1 to satisfy the appendix, and the suggested version 3.3 to satisfy page 40? My SSL/TLS implementation acting as a client sends record version 3.0 and suggested version 3.1 and OpenSSL s_server accepts it as OK. Is OpenSSL just being permissive to allow for interoperation? Thanks for any clarification. Also please advise if there are any differences in this area between session resumption and renegotiation.