Hi,
Currently openssl-0.9.9 accepts a client hello (session resumption),
with or without the extended hello part. Why is this so?
Is it (or is it not) necessary to check if the extensions are the same
as previously negotiated? i.e., shouldn't the extensions be validated
w.r.t. previously negotiated values like the cipher & compression?
Thanks,
jimmy
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
