On Mon, Mar 20, 2000, Bodo Moeller wrote:
> On Sun, Mar 19, 2000 at 07:51:38PM -0800, Claus Assmann wrote:
> > I'm trying to write a server (using OpenSSL) that doesn't use
> > patented algorithms, which means I have to restrict my server to
> > TLSv1 or SSLv3 (right?), so I would like to use TLSv1 only, but
> > then a "default" client (SSL23_method) does not talk to my server.
> If you want to allow only TLSv1 in a server (which you actually don't
> explicitly have to do if you want to avoid RSA -- configuring the
> library with "no-rsa" is enough, as you can see by running "make test"
> for the new beta release), you should use SSLv23_[server_]method and
> disable the other protocol versions by setting the SSL_OP_NO_SSLv2
> and/or SSL_OP_NO_SSLv3 options.
That's the part I was missing. I tried SSLv23_method before (without
patented algorithms) and it failed later on because I didn't set
that option.
Thanks a lot for your long explanation! I should have mentioned
that the only part of the table I couldn't understand where that
server:TLSv1 and client: SSLv23 did not work together (the rest is
obvious), but your explanation makes perfect sense. Now my server
seems to work without patented algorithms and with a "default"
client.
PS: openssl-0.9.5a-beta1 doesn't compile "out-of-the-box" on FreeBSD
3.2, I'll submit an error report (after I tried it one more time...)
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
