On Mon, Apr 15, 2002 at 11:23:49PM +0200, David Maurus wrote: > Andreas Sterbenz wrote: > > > For the Sun JSSE provider, the default enabled protocols are SSLv3, > > TLSv1, and the pseudo protocol SSLv2Hello. The latter means that client > > hello messages are sent/ accepted in SSLv2 format. This is for better > > error diagnostic when talking to SSLv2 only implementations. > > After revisiting Eric Rescorla's SSL and TLS, I come to the conclusion that > for the client, starting with a SSLv2 ClientHello msg would also be useful to > talk to a server that might be a version 2 server. At least in SSLv3 it was > specified for the server to continue with a v3 handshake, if it was able to > support the version number sent be the client (see page 135 of SSL and TLS). > > > The result is that with the default settings a V2 client hello message > > requesting TLS 1.0 is sent. > > ...which is the most compatible way to speak to any unknown SSL/TLS server. > Shouldn't OpenSSL answer this v2 ClientHello with SSL-version no. 3.1 by > continuing with a TLS handshake? Or was this compatibility option left out in > OpenSSL by purpose? > > RFC2246 ( http://www.ietf.org/rfc/rfc2246 ) states (Page 65): > "TLS 1.0 clients that support SSL Version 2.0 servers must send SSL > Version 2.0 client hello messages [SSL2]. TLS servers should accept > either client hello format if they wish to support SSL 2.0 clients on > the same connection port. The only deviations from the Version 2.0 > specification are the ability to specify a version with a value of > three and the support for more ciphering types in the CipherSpec. > > Warning: The ability to send Version 2.0 client hello messages will be > phased out with all due haste. Implementors should make every > effort to move forward as quickly as possible. Version 3.0 > provides better mechanisms for moving to newer versions."
The option to support the SSLv2 client hello is part of the SSLv23_method(). The TLSv1_method() is pure TLSv1, no SSLv2 client hello. Best regards, Lutz -- Lutz Jaenicke [EMAIL PROTECTED] http://www.aet.TU-Cottbus.DE/personen/jaenicke/ BTU Cottbus, Allgemeine Elektrotechnik Universitaetsplatz 3-4, D-03044 Cottbus ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]