Okay, I went and looked at Appendix E of the SSL v3 spec,
to find out why ssl23_accept() does special handling on
ClientHello messages with v2 headers that are marked as
version 3.
First it says "Version 3 servers should accept either
ClientHello format". That's understandable for the
since most servers were running v2 at the time the spec
was written.
Then it says "The ability to send v2 ClientHello messages will
be phased out with all due haste" etc. Good thing too.
But has it happened?
How many browsers still do this? I guess some old ones
are still doing this, I hope the newer versions have stopped.
For sundry reasons related to the SSL-aware hardware
I'm coupling OpenSSL to, I am writing my own sslX_accept()
and sslX_connect() methods, and lower-level methods to
support them.
We've made a command decision that we just ain't gonna
talk v2. I'd love to be able to toss all v2 messages, but
this backward-compatible ClientHello is a problem.
I didn't see anything in the spec about client retries.
If the client sends a v2 ClientHello -
- can the server send some sort of NAK response to get
the client to try again with a more recent protocol?
ServerHello doesn't look like it can say anything like that.
- if the v2 ClientHello is dropped on the floor by the server,
will the major browsers try again with a v3 ClientHello,
or just give up?
((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((((
Tom Biggs
'89 FJ1200 DoD #1146
"The whole aim of practical politics is to keep the populace alarmed -
and hence clamorous to be led to safety - by menacing it with an endless
series of hobgoblins, all of them imaginary." -- H.L. Mencken
))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
