> > Why wasn't SSLv3(.0) be used? Or will only headers of SSLv3(.1) be > > identified as "real" SSLv3? I am confused a bit b/c everyone tells you > > that SSLv2 isn't secure and so usage of it should be avoided... and then > > it was used silently. Maybe its insecurity doesn't matter in this early > > stage. > > With SSL_OP_NO_SSLv2, SSL 2.0 was never used, so its security problems > did not apply. The SSL 2.0 compatible client hello message that was > generated by SSLv23_client_method() is just a different way of > arranging essentially the same information that occurs in an SSL 3.0 > or TLS 1.0 client hello message. (You just can't list compression > techniques in the SSL 2.0 format, and you can't include TLS > extensions. TLS extensions are not yet supported by OpenSSL, though.)
[...] Thanks for the answer! :) Thomas -- Tom <[EMAIL PROTECTED]> fingerprint = F055 43E5 1F3C 4F4F 9182 CD59 DBC6 111A 8516 8DBF ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
