Kevin Regan wrote:
>
> 26747:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version
> number:s3_pkt.c:290:
>
> This happens when I select "TLSv1" on the Java side and
> "TLSv1_server_method" on the OpenSSL side. "TLSv1" on the Java side and
> "SSLv23_server_method" (but not "SSLv3_server_method") works fine.
(Before I say anything else, I admit that some of the JSSE APIs and the
debug output are a bit confusing. Mainly lack of time and compatibility
issues to blame).
The confusion seems to stem from the fact that SSLContext.getInstance()
returns a context that supports /at least/ the specified protocol. It
may support others too. In particular, for the Sun JSSE provider you get
always get the same result whether you use "TLSv1", "SSL", etc. with the
getInstance() call. To select the actual enabled protocols, use the
setEnabledProtocols() method on SSLSocket/ SSLServerSocket.
For the Sun JSSE provider, the default enabled protocols are SSLv3,
TLSv1, and the pseudo protocol SSLv2Hello. The latter means that client
hello messages are sent/ accepted in SSLv2 format. This is for better
error diagnostic when talking to SSLv2 only implementations.
The result is that with the default settings a V2 client hello message
requesting TLS 1.0 is sent. I think what you want to do is something
like socket.setEnabledProtocols(new String[] {"TLSv1"}).
For this and much more see also
http://java.sun.com/j2se/1.4/docs/guide/security/jsse/JSSERefGuide.html .
BTW, I would not expect the client to hang, however. This should only
happen if the server neither sends an (error) response nor closes the
socket. Don't know if this is the case here.
Andreas.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
