> From: owner-openssl-us...@openssl.org On Behalf Of Hihn, Jason > Sent: Monday, 30 November, 2009 18:09
> I am trying to have a java 1.5 client connect to a OpenSSL > TLS server. I > can connect fine from other OpenSSL implementations. > By default for maximum compatibility across the world-wide-net Java (JSSE) SSLSocket client uses v2-format Hello, even though it aborts if the server agrees to v2 (which is less secure). > openssl s_server -www -accept 2762 -tls1 -cert "certs\publicKey.pem" > -key "certs\privateKey.pem" > With -tls1 this expects and allows only v3-and-up format, so the v2 Hello doesn't parse correctly. Either change the server to use "ssl23" mode which handles both, and is the default for s_server; or if you want to enforce v3-and-up only (which may be better securitywise) change the client to .setEnabledProtocols not including SSLv2Hello , before the first data or .startHandshake . (At least in Java 6 I've tested; the jdk6 doc package I have says this isn't new, but I'm not going to dig out an obsolete JRE to verify.) If you're using one of the higher-level things which creates the SSLSocket "inside", like URL(https).openConnection , there may be some way to tweak this in the Factory, or the environment settings, or such, but I haven't found it. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
