Am Freitag, 13. Mai 2005 20:32 schrieb Bodo Moeller: > On Wed, May 11, 2005 at 02:14:23PM +0200, Thomas Biege wrote: > > You see I use SSLv23_method() and later SSL_CTX_set_options(ctx, > > SSL_OP_ALL > > > > | SSL_OP_NO_SSLv2); to disable SSLv2 support. > > > > Is it normal that the "Client Hello" message is SSLv2 and later TLS is > > used? > > Yes. In the past this used to be necessary because some SSL 3.0 > implementations were confused by seeing TLS 1.0 records in the Client > Hello. But now these issues should be history.
Why wasn't SSLv3(.0) be used? Or will only headers of SSLv3(.1) be identified as "real" SSLv3? I am confused a bit b/c everyone tells you that SSLv2 isn't secure and so usage of it should be avoided... and then it was used silently. Maybe its insecurity doesn't matter in this early stage. > A change of behaviour will be in the next versions of the following > OpenSSL snapshots, located in directory <URL: > ftp://ftp.openssl.org/snapshot;type=d/>: > > openssl-0.9.7-stable-SNAP-<date>.tar.gz (0.9.7 series) > openssl-SNAP-<date>.tar.gz (0.9.8-dev) > > The 20050512 (and later) snapshots will have the change. Please test > one of these and let us know about any problems. I used openssl-0.9.7e but can test the newer ones too. Bye, Thomas -- Tom <[EMAIL PROTECTED]> fingerprint = F055 43E5 1F3C 4F4F 9182 CD59 DBC6 111A 8516 8DBF ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
