Erwann ABALEA wrote > Bonjour, > >> Hi, >> I ran into the same problem and then came across this thread. According >> to >> http://tools.ietf.org/html/rfc5246#appendix-E: >> "A TLS 1.2 client who wishes to negotiate with such older servers will >> send a normal TLS 1.2 ClientHello, containing { 3, 3 } (TLS 1.2) in >> ClientHello.client_version. If the server does not support this >> version, it will respond with a ServerHello containing an older >> version number." >> >> Why then the server isn't responding at all to the Client Hello for >> TLS1.2? >> Is this expected behavior with OpenSSL 1.0.1e? If it is, then this would >> need to be fixed as it is not compliant with the RFC. > > The server and client are both compliant. > > With the first command, you tell the client to use TLS1.0 only. No more, > no less. The server is ok with it, and both negociate TLS1.0. > With the second command, you tell the client to use TLS1.2 only, again > no more no less. The server receives a TLS1.2 negociation, replies with > a TLS1.0 server hello message, and the client refuses it, cleanly > (because you told it to do so). > > If you want to allow only TLS1.0, TLS1.1 and TLS1.2, use "-no_ssl2 > -no_ssl3" options instead.
In my case, SSL client is using OpenSSL 1.0.1e. I do not which version is the server using, but must be an older version. When the client is sending ClientHello with version 0x0303 (TLS1.2), the server does not respond at all. In which versions of OpenSSL is the above server behavior expected? -- View this message in context: http://openssl.6102.n7.nabble.com/connection-problem-with-the-version-1-0-1e-tp45935p46880.html Sent from the OpenSSL - User mailing list archive at Nabble.com. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org