Re: Version negotiation failure failure?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




> On Sep 11, 2018, at 1:17 PM, Jordan Brown <openssl@xxxxxxxxxxxxxxxxxxxx> wrote:
> 
> The key piece that I was missing - I hadn't looked at and thought about the protocol enough - was that there's no version-independent way for the server to fail.  If the server supports only versions larger than the client supports, it has no way to say "no".  If the positions are reversed, the server counter-offers a version that the client then rejects as too old.

In OpenSSL 1.1.x, though the server might not support continuing with the client's
maximum version, it is willing to do so just long enough to send a fatal protocol
version mismatch alert.  It helps that SSL2/SSL3 are not supported, and TLS 1.0
and up support the alert.

Time to move to OpenSSL 1.1.x, it has many improvements, ...

-- 
	Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux