> > Why wasn't SSLv3(.0) be used? Or will only headers of SSLv3(.1) be
> > identified as "real" SSLv3? I am confused a bit b/c everyone tells you
> > that SSLv2 isn't secure and so usage of it should be avoided... and then
> > it was used silently. Maybe its insecurity doesn't matter in this early
> > stage.

>
> With SSL_OP_NO_SSLv2, SSL 2.0 was never used, so its security problems
> did not apply. The SSL 2.0 compatible client hello message that was
> generated by SSLv23_client_method() is just a different way of
> arranging essentially the same information that occurs in an SSL 3.0
> or TLS 1.0 client hello message. (You just can't list compression
> techniques in the SSL 2.0 format, and you can't include TLS
> extensions. TLS extensions are not yet supported by OpenSSL, though.)


[...]

Thanks for the answer!

Thomas

--
Tom
fingerprint = F055 43E5 1F3C 4F4F 9182 CD59 DBC6 111A 8516 8DBF
__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org