On Fri, Mar 02, 2001 at 12:30:05PM +0100, Richard Levitte - VMS Whacker wrote:
> From: Lutz Jaenicke <[EMAIL PROTECTED]>
>
> Lutz.Jaenicke> The (needed) fix should have one side effect (from
> Lutz.Jaenicke> conclusion, I did not try it): Since the SSL_connect()
> Lutz.Jaenicke> is now performed with SSLv2 only, in case the session
> Lutz.Jaenicke> cannot be reused, the new session will also be of type
> Lutz.Jaenicke> SSLv2, even if both the server and the client could do
> Lutz.Jaenicke> better.
>
> Hmm, isn't this true for SSL3 and TLS1 as well? I'm not that good at
> finding my way in the SSL-specific code yet so I may very well be
> missing something.
Yes, that should be true as well. The difference is in that the use of
SSLv2 is deprecated and SSLv3 or TLSv1 should be used. If I already
have SSLv3 or TLSv1 negotiated, I don't care to keep it.
Of course, this debate is more or less academic, since a SSLv2 session
that has once been negotiated was negotiated for a reason, so probably
both peers would not negotiate something different in the next attempt
(if not a configuration change to place in between).
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
