On Mon, Oct 24, 2005 at 04:08:19PM +0200, Peter Sylvester wrote: >> [...] I.e., a client that connects to a >> server can *either* support SSL 2.0 servers *or* use TLS extensions, >> but not both. >> >> The SSL 3.0 and TLS 1.0 specifications have the forward compatibility >> note about extra data at the end of the Client Hello, so s23_srvr.c >> should tolerate always extra data in a Client Hello that does not use >> the SSL 2.0 format.
> A client that fills extra data into the compatible data must indeed > be prepared that a strict v2 server rejects the client hello, and repeat > with a correct one. Here we are taling about the server mode. > > Would it hurt Openssl to be a tolerant server, and ignore the additional > in v2 mode, because that doesn't hurt as far as I understand. Hm. Probably being this liberal wouldn't actually hurt, but I don't see a good case for doing this -- it helps only with ill-behaving clients. I think its better to fix the latter (should they exist) and to generally encourage implementors to step away from 2.0-compatibility. Accepting this new extended 2.0 format might perpetuate a data format that is already obsolete. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
