Hi Amnon! IIRC, enabling TLSv1 in IE5 would result in not being able to connect to such a buggy server, which I assume would be for the same reason as with s_client.
IE6 however seems to be able to connect, which I think (although this is only me guessing here) is due to it detecting the "bad mac" + "TLSv1 enabled" state and then reconnecting with TLSv1 disabled. This shouldn't be hard to verify by looking at the server logs in question, but I'm afraid I lack access to such a server. I know that it shouldn't be difficult to add a downgrade like this to an existing OpenSSL-based application, but would it not be more "useful" to put this code inside OpenSSL itself, so that the reconnects would be handled transparently once the workaround has been enabled? I can't see how a given man-in-the-middle would have all that much to gain by tricking clients into downgrading to SSLv3 anyway, so such a workaround shouldn't cause too much harm IMHO. //oscar Amnon Cohen wrote: > > Hi Oscar > > Thanks for the reply! > > How do browsers manage to connect to these defective servers? > > Is there any way we can make OpenSSL emulate browser behaviour? ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
