Bodo Moeller wrote:
On Mon, Oct 24, 2005 at 04:08:19PM +0200, Peter Sylvester wrote:[...] I.e., a client that connects to a server can *either* support SSL 2.0 servers *or* use TLS extensions, but not both. The SSL 3.0 and TLS 1.0 specifications have the forward compatibility note about extra data at the end of the Client Hello, so s23_srvr.c should tolerate always extra data in a Client Hello that does not use the SSL 2.0 format.A client that fills extra data into the compatible data must indeed be prepared that a strict v2 server rejects the client hello, and repeat with a correct one. Here we are taling about the server mode. Would it hurt Openssl to be a tolerant server, and ignore the additional in v2 mode, because that doesn't hurt as far as I understand.Hm. Probably being this liberal wouldn't actually hurt, but I don't see a good case for doing this -- it helps only with ill-behaving clients. I think its better to fix the latter (should they exist) and to generally encourage implementors to step away from 2.0-compatibility. Accepting this new extended 2.0 format might perpetuate a data format that is already obsolete.
I agree, I'll leave this out for the servername patch. --To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.
smime.p7s
Description: S/MIME Cryptographic Signature
