* Andrew Marlow ([EMAIL PROTECTED]) wrote:
>
> I have done some more investigation and have found that ssltest
> will compress when the TLS1 protocol is explicitly selected.
I also took a look - it seems the problem is the v23 SSL/TLS method,
it's there to provide a handshake that can negotiate any protocol level,
but it also seems to preclude any negotiation of compression. Eg. if
you've built with "zlib", you can change into the apps/ directory and in
one shell run;
./openssl s_server
you'll find that (in another shell) both of the following result in
compression;
./openssl s_client -ssl3
./openssl s_client -tls1
but the following does not;
./openssl s_client -no_ssl2 -no_ssl3
As for why - this could be impossible to get around because of the
implicit constraints of SSLv2 compatibility, I'm not sure. Certainly if
you use the SSLv3 or TLSv1 client methods (and thus give up on talking
with any SSLv2 servers), then you'll probably be OK w.r.t. compression
unless you hit an SSLv2 server. The crap way to address this (something
Lutz mentioned in another thread) is to try connecting with an
SSLv3/TLSv1 method first and if that fails on protocol troubles, retry
with SSLv2. Yes I know, bleurgh.
Cheers,
Geoff
--
Geoff Thorpe
[EMAIL PROTECTED]
http://www.openssl.org/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
