On Thu, Apr 10, 2014 at 06:30:26PM +0530, Pravin Tatti wrote: > I think you still didn't understood the problem. There are two versions in > SSL one is record layer hello version and the client hello version. Any > application that support TLS versions 1.0, 1.1, 1.3 or SSLv3 (client hello > version) may contain SSL 3.0 as the record layer version number and the > once the negotiation is done the record layer version is updated. > The problem is not with SSLv3 alone the problem is with all the TLS > versions 1.0, 1.1, 1.3 or SSLv3 who has the record layer version as SSLv3 > for client hello packet.
OK thanks for clarifying. > The problem is the application using gnutls instead of openssl has record > layer hello version set to SSL 3.0 for client hello handshake and the > client hello version to TLSv2 (max TLS version supported by client). > > What i suggest is fetching of SNI is still valid even if the record layer > version is 3.0 and the actual client hello version is any of the TLS > versions including SSLv3. Fine, could you send a patch to do that then ? Willy