Am Freitag, 13. Mai 2005 20:32 schrieb Bodo Moeller:
> On Wed, May 11, 2005 at 02:14:23PM +0200, Thomas Biege wrote:
> > You see I use SSLv23_method() and later SSL_CTX_set_options(ctx,
> > SSL_OP_ALL
> >
> > | SSL_OP_NO_SSLv2); to disable SSLv2 support.
> >
> > Is it normal that the "Client Hello" message is SSLv2 and later TLS is
> > used?

>
> Yes. In the past this used to be necessary because some SSL 3.0
> implementations were confused by seeing TLS 1.0 records in the Client
> Hello. But now these issues should be history.


Why wasn't SSLv3(.0) be used? Or will only headers of SSLv3(.1) be
identified as "real" SSLv3? I am confused a bit b/c everyone tells you that
SSLv2 isn't secure and so usage of it should be avoided... and then it was
used silently. Maybe its insecurity doesn't matter in this early stage.


> A change of behaviour will be in the next versions of the following
> OpenSSL snapshots, located in directory > ftp://ftp.openssl.org/snapshot;type=d/>:
>
> openssl-0.9.7-stable-SNAP-.tar.gz (0.9.7 series)
> openssl-SNAP-.tar.gz (0.9.8-dev)
>
> The 20050512 (and later) snapshots will have the change. Please test
> one of these and let us know about any problems.


I used openssl-0.9.7e but can test the newer ones too.


Bye,
Thomas

--
Tom
fingerprint = F055 43E5 1F3C 4F4F 9182 CD59 DBC6 111A 8516 8DBF
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org