Re: [openssl-users] Re: connection problem with the version 1.0.1e
Erwann ABALEA wrote
Bonjour,
Hi,
I ran into the same problem and then came across this thread. According
to
http://tools.ietf.org/html/rfc5246#appendix-E:
A TLS 1.2 client who wishes to negotiate with such older servers will
send a normal TLS 1.2 ClientHello, containing { 3, 3 } (TLS 1.2) in
ClientHello.client_version. If the server does not support this
version, it will respond with a ServerHello containing an older
version number.
Why then the server isn't responding at all to the Client Hello for
TLS1.2?
Is this expected behavior with OpenSSL 1.0.1e? If it is, then this would
need to be fixed as it is not compliant with the RFC.
The server and client are both compliant.
With the first command, you tell the client to use TLS1.0 only. No more,
no less. The server is ok with it, and both negociate TLS1.0.
With the second command, you tell the client to use TLS1.2 only, again
no more no less. The server receives a TLS1.2 negociation, replies with
a TLS1.0 server hello message, and the client refuses it, cleanly
(because you told it to do so).
If you want to allow only TLS1.0, TLS1.1 and TLS1.2, use -no_ssl2
-no_ssl3 options instead.
In my case, SSL client is using OpenSSL 1.0.1e. I do not which version is
the server using, but must be an older version. When the client is sending
ClientHello with version 0x0303 (TLS1.2), the server does not respond at
all. In which versions of OpenSSL is the above server behavior expected?
--
View this message in context:
http://openssl.6102.n7.nabble.com/connection-problem-with-the-version-1-0-1e-tp45935p46880.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: connection problem with the version 1.0.1e
Rajesh Malepati wrote
On Wed, Jul 24, 2013 at 9:30 PM, kirpit lt;
kirpit@
gt; wrote:
The server doesn't seem to care to respond to clients supporting TLS 1.2
ok:
openssl s_client -tls1 -connect emea.webservices.travelport.com:443
no reply:
openssl s_client -tls1_2 -connect emea.webservices.travelport.com:443
such servers should be beaten to pulp.
Hi,
I ran into the same problem and then came across this thread. According to
http://tools.ietf.org/html/rfc5246#appendix-E:
A TLS 1.2 client who wishes to negotiate with such older servers will
send a normal TLS 1.2 ClientHello, containing { 3, 3 } (TLS 1.2) in
ClientHello.client_version. If the server does not support this
version, it will respond with a ServerHello containing an older
version number.
Why then the server isn't responding at all to the Client Hello for TLS1.2?
Is this expected behavior with OpenSSL 1.0.1e? If it is, then this would
need to be fixed as it is not compliant with the RFC.
--
View this message in context:
http://openssl.6102.n7.nabble.com/connection-problem-with-the-version-1-0-1e-tp45935p46868.html
Sent from the OpenSSL - User mailing list archive at Nabble.com.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
Re: connection problem with the version 1.0.1e
nehakochar wrote Is this expected behavior with OpenSSL 1.0.1e? If it is, then this would need to be fixed as it is not compliant with the RFC. Correction: I am not sure if it is 1.0.1e that is the problematic version. But would like to know if this is expected behavior (although incorrect) with OpenSSL, and if yes, is it true for all versions (including 1.0.1e)? -- View this message in context: http://openssl.6102.n7.nabble.com/connection-problem-with-the-version-1-0-1e-tp45935p46869.html Sent from the OpenSSL - User mailing list archive at Nabble.com. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
