Hi openssl.org, I just wanted to let you know about an issue with the comments in ssl.h.
These exist in 1.0.1j and 1.0.2-beta3. It is in the source code, so I don't think the OS version is applicable. The specific lines are: const SSL_METHOD *SSLv23_method(void) /* SSLv3 but can rollback to v2 */ const SSL_METHOD *SSLv23_server_method(void); /* SSLv3 but can rollback to v2 */ const SSL_METHOD *SSLv23_client_method(void); /* SSLv3 but can rollback to v2 */ In fact, these methods try to establish a TLSv1 connection and fallback to SSLv3 (and then v2 if available). Here's what the docs at: https://www.openssl.org/docs/ssl/SSL_CTX_new.html say: ... a client will send out TLSv1 client hello messages including extensions and will indicate that it also understands TLSv1.1, TLSv1.2 and permits a fallback to SSLv3. Anyway, I thought I'd let you know about this. Thanks! -Rich ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
