Andreas Sterbenz wrote:

> For the Sun JSSE provider, the default enabled protocols are SSLv3,
> TLSv1, and the pseudo protocol SSLv2Hello. The latter means that client
> hello messages are sent/ accepted in SSLv2 format. This is for better
> error diagnostic when talking to SSLv2 only implementations.

After revisiting Eric Rescorla's SSL and TLS, I come to the conclusion that
for the client, starting with a SSLv2 ClientHello msg would also be useful to
talk to a server that might be a version 2 server. At least in SSLv3 it was
specified for the server to continue with a v3 handshake, if it was able to
support the version number sent be the client (see page 135 of SSL and TLS).

> The result is that with the default settings a V2 client hello message
> requesting TLS 1.0 is sent.

...which is the most compatible way to speak to any unknown SSL/TLS server.
Shouldn't OpenSSL answer this v2 ClientHello with SSL-version no. 3.1 by
continuing with a TLS handshake? Or was this compatibility option left out in
OpenSSL by purpose?

RFC2246 ( http://www.ietf.org/rfc/rfc2246 ) states (Page 65):
"TLS 1.0 clients that support SSL Version 2.0 servers must send SSL
 Version 2.0 client hello messages [SSL2]. TLS servers should accept
 either client hello format if they wish to support SSL 2.0 clients on
 the same connection port. The only deviations from the Version 2.0
 specification are the ability to specify a version with a value of
 three and the support for more ciphering types in the CipherSpec.

Warning: The ability to send Version 2.0 client hello messages will be
phased out with all due haste. Implementors should make every
effort to move forward as quickly as possible. Version 3.0
provides better mechanisms for moving to newer versions."

Best Regards,
David Maurus

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to