Re: My servers don't wanna talk v2

Tue, 19 Dec 2000 04:02:24 -0800 

On Mon, Dec 18, 2000 at 12:27:45PM -0500, Tom Biggs wrote:

[...]
> Then it says "The ability to send v2 ClientHello messages will
> be phased out with all due haste" etc.   Good thing too.
> But has it happened?
> 
> How many browsers still do this?   I guess some old ones
> are still doing this, I hope the newer versions have stopped.

Usually you can disable SSL 2.0 in one of the browser's configuration
menus.  Otherwise, the backwards compatible client hello format
will be used.

In practice, if automatic protocol version negotiation is required,
using the SSL 2.0 client hello format has advantages to using
the SSL 3.0 client hello format, even if you don't really
want to tolerate SSL 2.0 (but want to admit either of SSL 3.0
and TLS 1.0): Various software bugs in servers, including earlier
versions of OpenSSL, can cause the handshake to fail.
(An SSL 3.0/TLS 1.0 client hello contains *two* version numbers: The
record layer version and a 'client_version' element in the actual
message.  In theory, a client that wants to use either SSL 3.0 or
TLS 1.0 should use a 3.0 header and set client_version to 3.1, which
means TLS 1.0.  But because of said server bugs, such handshakes
will often fail.)  OpenSSL clients never generate TLS 1.0 handshakes
in SSL 3.0 records, although we may make this possible one day --
currently if you want protocol version negotiation, you have to
use the SSL 2.0 client hello format.

[...]
> If the client sends a v2 ClientHello -
> 
> - can the server send some sort of NAK response to get
> the client to try again with a more recent protocol?
> ServerHello doesn't look like it can say anything like that.
> 
> - if the v2 ClientHello is dropped on the floor by the server,
> will the major browsers try again with a v3 ClientHello,
> or just give up?

I've never seen a browser retry in this situation.  You can try this
yourself by running 'openssl s_server -ssl' (in the 'apps' directory
so that the default certificate is avaiable) and connecting with any
browser.


-- 
Bodo M�ller <[EMAIL PROTECTED]>
PGP http://www.informatik.tu-darmstadt.de/TI/Mitarbeiter/moeller/0x36d2c658.html
* TU Darmstadt, Theoretische Informatik, Alexanderstr. 10, D-64283 Darmstadt
* Tel. +49-6151-16-6628, Fax +49-6151-16-6036
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to