In message <[EMAIL PROTECTED]> on Tue, 7 Oct 2003 19:16:59 +0200, "Dr. Stephen Henson"
<[EMAIL PROTECTED]> said:
steve> On Tue, Oct 07, 2003, Richard Levitte - VMS Whacker wrote:
steve>
steve> > As has been seen in my last few commits, I got a bit obsessed with
steve> > compression. The way it works now, at least in 0.9.8-dev, is
steve> > compliant with draft-ietf-tls-compression-05.txt, as far as I can
steve> > tell.
steve>
steve> Interesting. Is it still stateless or does it retain the
steve> compression state for improved performance?
It's stateful, as required by that draft.
steve> > The only thing that remains is something that itches me quite a bit.
steve> > As soon as SSLv23 is used, we can kiss compression goodbye, even if
steve> > SSLv2 has been disabled.
steve> >
steve>
steve> Maybe one for the TLS mailing list? I can think of ways to do
steve> this such as dummy ciphersuites etc but it would need to be
steve> standardised.
I think that part is already answered by the following, taken from
appendix E in RFC 2246:
TLS version 1.0 and SSL 3.0 are very similar; thus, supporting both
is easy. TLS clients who wish to negotiate with SSL 3.0 servers
should send client hello messages using the SSL 3.0 record format and
client hello structure, sending {3, 1} for the version field to note
that they support TLS 1.0. If the server supports only SSL 3.0, it
will respond with an SSL 3.0 server hello; if it supports TLS, with a
TLS server hello. The negotiation then proceeds as appropriate for
the negotiated protocol.
Similarly, a TLS server which wishes to interoperate with SSL 3.0
clients should accept SSL 3.0 client hello messages and respond with
an SSL 3.0 server hello if an SSL 3.0 client hello is received which
has a version field of {3, 0}, denoting that this client does not
support TLS.
Whenever a client already knows the highest protocol known to a
server (for example, when resuming a session), it should initiate the
connection in that native protocol.
So my question is rather what kind of stuff might I run in to in the
OpenSSL code? One thing I've figured out is that it's not as easy as
simply calling the SSLv3 send client hello routine from the SSLv23
one...
--
Richard Levitte \ Tunnlandsvägen 3 \ [EMAIL PROTECTED]
[EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-8-26 52 47
\ SWEDEN \ or +46-708-26 53 44
Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
