Am Freitag, 13. Mai 2005 20:32 schrieb Bodo Moeller:
> On Wed, May 11, 2005 at 02:14:23PM +0200, Thomas Biege wrote:
> > You see I use SSLv23_method() and later SSL_CTX_set_options(ctx,
> >
> > | SSL_OP_NO_SSLv2); to disable SSLv2 support.
> >
> > Is it normal that the "Client Hello" message is SSLv2 and later TLS is
> > used?

> Yes. In the past this used to be necessary because some SSL 3.0
> implementations were confused by seeing TLS 1.0 records in the Client
> Hello. But now these issues should be history.

Why wasn't SSLv3(.0) be used? Or will only headers of SSLv3(.1) be
identified as "real" SSLv3? I am confused a bit b/c everyone tells you that
SSLv2 isn't secure and so usage of it should be avoided... and then it was
used silently. Maybe its insecurity doesn't matter in this early stage.

> A change of behaviour will be in the next versions of the following
> OpenSSL snapshots, located in directory >;type=d/>:
> openssl-0.9.7-stable-SNAP-.tar.gz (0.9.7 series)
> openssl-SNAP-.tar.gz (0.9.8-dev)
> The 20050512 (and later) snapshots will have the change. Please test
> one of these and let us know about any problems.

I used openssl-0.9.7e but can test the newer ones too.


fingerprint = F055 43E5 1F3C 4F4F 9182 CD59 DBC6 111A 8516 8DBF
__________________________________________________ ____________________
OpenSSL Project
Development Mailing List
Automated List Manager