Hello, On Tuesday, 30. March 2010 15:51:31 Bodo Moeller wrote: > So client-side OpenSSL is buggy if compiled with no-tlsext (in 0.9.8m > and 0.9.8n) because it sends that pseudo-ciphersuite number without > being able to handle the TLS extension then expected in the server's > response. So the no-tlsext build shouldn't be sending the pseudo- > ciphersuite number. However, then you'd soon have problems connecting > to some updated servers, as these may start to *demand* confirmation > that clients are updated to support RFC 5746. So the fix won't help > you in the long run.
Thanks for your explanation. I could remove the no-tlsext option as the servers under our control haven been upgraded from Centos 3 to Centos 5. I'm just thinking what might happen if f.e. a TLS enabled postfix connects to an old Centos 3 based server to deliver emails. Guess that would fail like in 2009, wouldn't it? Cheers, Thomas ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
