> On Sep 11, 2018, at 1:17 PM, Jordan Brown <open...@jordan.maileater.net>
> wrote:
>
> The key piece that I was missing - I hadn't looked at and thought about the
> protocol enough - was that there's no version-independent way for the server
> to fail. If the server supports only versions larger than the client
> supports, it has no way to say "no". If the positions are reversed, the
> server counter-offers a version that the client then rejects as too old.
In OpenSSL 1.1.x, though the server might not support continuing with the
client's
maximum version, it is willing to do so just long enough to send a fatal
protocol
version mismatch alert. It helps that SSL2/SSL3 are not supported, and TLS 1.0
and up support the alert.
Time to move to OpenSSL 1.1.x, it has many improvements, ...
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
