Hi Steve! On Wed, 11 Nov 2009 16:08:36 +0100 "Dr. Stephen Henson" <[email protected]> wrote:
> On Wed, Nov 11, 2009, Tomas Hoger wrote: > > > This is unclear, they are banned in 0.9.8-stable, but 1.0.0beta4 > > seems to allow all, even those without an extension. > > Sorry about that, the port I did to 1.0.0 was broken and missed out > several changes, should be fixed by tomorrows snapshot. Thanks for clarification. I re-tested with current 1.0.0-stable CVS and the behavior is now similar to 0.9.8-stable. Both versions also enforce client extension checks (4.1 of reneg RFC). Interesting case is when client is using SSLv23_client_method (as e.g. s_client does by default) is trying to talk to TLSv1 server. In 0.9.8, SSLv2 Client Hello is sent indicating TLSv1 as the highest supported protocol version. Server Hello is TLSv1 and does not contain extension, hence client fails even when talking to new server. I don't see this behavior with 1.0.0-stable's s_client thanks to ssl23_no_ssl2_ciphers check. th. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
