Hi,
The function smp_fetch_ssl_hello_sni() only supports record layer version
and client hello version greater than or equal to 3.1. But as in the
RFC5246 in appendix E says that TLS versions 1.0, 1.1, and 1.2, and SSL
3.0 are very similar and also if we check the last 2 paras as mentioned
below
=%2Fwy11T7R1QVKnkycPjMukAJgXwKDuCjUkkpoPo3fnUbD27SXBkGi8peGgEmh%2FReckey=pl7vWF6XC3JfowFZA%2F0CL7u6ZiLZzX%2BJ6UJhky1jiZM%3D
Hi,
On Thu, Apr 10, 2014 at 10:33:38AM +0530, Pravin Tatti wrote:
Hi,
The function smp_fetch_ssl_hello_sni() only supports record layer version
and client hello
I would suggest that it will not harm even if you relax the check for
client hello too as the old client can using SSL 3.0 is still supported and
its according to RFC and also note that the max supported TLS version is
3.3. I would suggest the below mentioned changes.
288c288
/* Check for
I too agree with your first comment relax only the check for record layer
version as SNI is extensions for TLS protocols.
I think the next version may or may not contain the same client hello
format if it allows i don't have any issues if it doesn't allows then the
code may crash or it may return
Ok fine you can be forward compatible but i still don't agree its my
personal opinion if I don't know what the packet format for next version
why should I support it. But this was not the major issue for what i
started the discussion. I think the major is relaxing the record layer
check to SSLv3
5 matches
Mail list logo