On Sun, Apr 01, 2012, Kurt Roeckx wrote: > On Sun, Apr 01, 2012 at 02:42:20PM +0200, Dr. Stephen Henson wrote: > > On Sun, Apr 01, 2012, Dr. Stephen Henson wrote: > > > > > > > > Did a quick hack modification setting header version to 0x3,0x0 and it now > > > *will* connect to some sites it didn't before with a long client hello > > > including paypal. It ends up negotiating TLS 1.2 anyway. > > > > > > I'll do some more tests to see what happens. > > > > > > > SSLv3 or TLSv1 version in record header connects, anything higher hangs. > > > > So I'd say we set it to TLSv1 in header unless we only support SSLv3. That > > should retain compatibility with older versions of OpenSSL. > > Is there a reason not to send SSLv3 as the lowest version if > SSLv3 is enabled? >
Well only reason I suggested using TLS 1.0 is that's would retain the same behaviour as OpenSSL 1.0 and earlier which would send the same record header version as the currently supported version. Doing some more tests... session resumption would also have to use version SSLv3/TLSv1 in the client hello record but other handshake records must use the negotiated version. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
