On Tue, Oct 17, 2000 at 11:21:48AM +0200, Lutz Jaenicke wrote:
> On Tue, Oct 17, 2000 at 11:08:25AM +0200, Bodo Moeller wrote:
>> On Mon, Oct 09, 2000 at 10:21:56PM -0600, Peter Dennis Bartok wrote:
>>> In a server that supports TLS (e.g. a imap server), when the server receives
>>> the STARTTLS command, should the method that the SSL_CTX is created with be
>>> SSLv23_method() or TLSv1_method()? I was under the impression that it should
>>> be TLSv1_method(), thus the START>TLS< command, but I cannot find any
>>> documentation to proof it.
>> For backwards compatibility with SSL only clients, you should use
>> TLSv1_method. I think Paul agreed to add something to this effect
>> to the next draft for the successor of RFC 2487.
> Did I get you right???
Er, of course I meant to write SSLv23_method! (TLSv1_method does not
provide any backwards compatibility at all.)
> The new draft says:
> Servers MUST be able to understand backwards compatible SSL Client
> Hello messages (provided that client_version is TLS 1.0 or later),
> and clients MAY use backwards compatbile Client Hellos messages.
> Neither clients or servers are required to actually offer Client
> Hello messages for anything other than TLS 1.0.
Good. Requirements like this are exactly what I asked to put into the specs.
(Note to Peter: In case you don't want to actually support SSL 2.0
or SSL 3.0 protocols, use
SSL[_CTX]_set_option(..., SSL_OP_NO_SSLv2)
or
SSL[_CTX]_set_option(..., SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3).)
--
Bodo M�ller <[EMAIL PROTECTED]>
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
