Hi,
> Basically we just need to relax the record layer check to SSLv3 - and > leave the clienthello check as is, right? > > Does the attached diff do the job for you correctly, Pravin? I have reproduced the issue with gnutls and can confirm that the patch fixes the problem. The function now requires only SSLv3 or later in the record layer, but still requires at least TLSv1.0 in the client hello. I don't think any SNI capable client announces SSLv2 in the record layer or worse. I will submit the patch formally. Regards, Lukas