On 11/09/2018 19:34, Viktor Dukhovni wrote:
On Sep 11, 2018, at 1:17 PM, Jordan Brown <openssl@xxxxxxxxxxxxxxxxxxxx> wrote:
The key piece that I was missing - I hadn't looked at and thought about the protocol enough - was that there's no version-independent way for the server to fail. If the server supports only versions larger than the client supports, it has no way to say "no". If the positions are reversed, the server counter-offers a version that the client then rejects as too old.
In OpenSSL 1.1.x, though the server might not support continuing with the client's
maximum version, it is willing to do so just long enough to send a fatal protocol
version mismatch alert. It helps that SSL2/SSL3 are not supported, and TLS 1.0
and up support the alert.
Time to move to OpenSSL 1.1.x, it has many improvements, ...
Clarification question, as I cannot match what you wrote above with
the changelog (NEWS) in the OpenSSL 1.1.1 tarball:
- Does OpenSSL 1.1.1 include SSL3.0 support or not?
Note that some real world clients are permanently stuck at SSL 3.0
due to the vendor refusing to release updates.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
