I do call SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3) so the client hello message starts with a TLSv1.2, and will negotiate as low as TLSv1.0. Under this context, the ssl23_client_hello method is being called
-----Original Message----- From: openssl-dev [mailto:openssl-dev-boun...@openssl.org] On Behalf Of Viktor Dukhovni Sent: Thursday, July 23, 2015 9:40 AM To: openssl-dev@openssl.org Subject: Re: [openssl-dev] TLS session ticket extension problem when using the ssl23_client_hello method On Thu, Jul 23, 2015 at 01:19:24PM +0000, Ian McFadries (imcfadri) wrote: > I have encountered a problem with EAP-FAST PACs when switching our > implementation of OpenSSL from a context that supports TLSv1.0 only to > a context that supports negotiation to the highest available TLS version. Just call: SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3) (just the no-v2 option suffices, but you should avoid v3 also). Once SSLv2 is disabled, the client HELLO will again include SSLv3/TLS extensions. -- Viktor. _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
