On Sun, Mar 18, 2012 at 12:20:48AM +0100, Kurt Roeckx via RT wrote: > On Sat, Mar 17, 2012 at 09:13:51PM +0100, Nikos Mavrogiannopoulos via RT > wrote: > > On 03/17/2012 09:03 PM, Stephen Henson via RT wrote: > > > > >> [n...@gnutls.org - Sat Mar 17 16:08:24 2012]: > > >> > > >> > > >> I captured the handshake (attached), and it seems the client > > >> advertises TLS 1.2. Could it be that the fallback is on the lowest > > >> supported version rather than the next available? > > >> > > > > > > That's strange. I tried OpenSSL 1.0.0h server (which supports up to > > > TLS 1.0) against OpenSSL 1.0.1 client (which also supports TLS 1.1 > > > and 1.2) and it ends up negotiating TLS v1.0 which is what I'd > > > expect. I'll see what that handshake capture reveals. > > > > > > Indeed interesting. I downloaded 1.0.0h from source I saw the behavior > > you describe. The issue is triggered on the version 1.0.0h as > > distributed by debian. > > The only think I can think of why it would behave different is > that we configured it with no-ssl2. > > The full options we call Configure with is: > no-idea no-mdc2 no-rc5 zlib enable-tlsext no-ssl2
I can confirm that removing the "no-ssl2" part gets me a TLS instead of SSLv3 connection. Kurt ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org