Bonjour,

Le 11/10/2013 03:35, nehakochar a écrit :
Rajesh Malepati wrote
On Wed, Jul 24, 2013 at 9:30 PM, kirpit <
kirpit@
> wrote:

The server doesn't seem to care to respond to clients supporting TLS 1.2

ok:
  openssl s_client -tls1 -connect emea.webservices.travelport.com:443

no reply:
openssl s_client -tls1_2 -connect emea.webservices.travelport.com:443

such servers should be beaten to pulp.
Hi,
I ran into the same problem and then came across this thread. According to
http://tools.ietf.org/html/rfc5246#appendix-E:
   "A TLS 1.2 client who wishes to negotiate with such older servers will
    send a normal TLS 1.2 ClientHello, containing { 3, 3 } (TLS 1.2) in
    ClientHello.client_version.  If the server does not support this
    version, it will respond with a ServerHello containing an older
    version number."

Why then the server isn't responding at all to the Client Hello for TLS1.2?
Is this expected behavior with OpenSSL 1.0.1e? If it is, then this would
need to be fixed as it is not compliant with the RFC.

The server and client are both compliant.

With the first command, you tell the client to use TLS1.0 only. No more, no less. The server is ok with it, and both negociate TLS1.0. With the second command, you tell the client to use TLS1.2 only, again no more no less. The server receives a TLS1.2 negociation, replies with a TLS1.0 server hello message, and the client refuses it, cleanly (because you told it to do so).

If you want to allow only TLS1.0, TLS1.1 and TLS1.2, use "-no_ssl2 -no_ssl3" options instead.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to