Hi, well the (too long) subject explains it very well. But here are the details.
I used the code from the book "Network Security with OpenSSL" to play
around with SSL.
The client code looks like:
SSL_CTX *setup_client_ctx(void)
{
SSL_CTX *ctx;
ctx = SSL_CTX_new(SSLv23_method());
if(SSL_CTX_load_verify_locations(ctx, CAFILE, CADIR) != 1)
int_error("Error loading CA file and/or directory.");
if(SSL_CTX_set_default_verify_paths(ctx) != 1)
int_error("Error loading default CA file and/or directory.");
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback);
SSL_CTX_set_verify_depth(ctx, 4);
SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2);
if(SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) != 1)
int_error("Error setting cipher list (no valid ciphers)");
return ctx;
}
You see I use SSLv23_method() and later SSL_CTX_set_options(ctx, SSL_OP_ALL
| SSL_OP_NO_SSLv2); to disable SSLv2 support.
Is it normal that the "Client Hello" message is SSLv2 and later TLS is used?
If I use SSLv3_method() everything works as expected.
I attached a ethereal capture file (see frame 4). Maybe the ethereal decoder
makes a mistake here or maybe it is normal behaviour.
Thanks,
Thomas
--
TheTom <[EMAIL PROTECTED]>
fingerprint = F055 43E5 1F3C 4F4F 9182 CD59 DBC6 111A 8516 8DBF
sslv2.bin
Description: Binary data
pgpEM7nvEdv1Q.pgp
Description: PGP signature
