On Sun, Mar 19, 2000 at 07:51:38PM -0800, Claus Assmann wrote:
> I'm trying to write a server (using OpenSSL) that doesn't use
> patented algorithms, which means I have to restrict my server to
> TLSv1 or SSLv3 (right?), so I would like to use TLSv1 only, but
> then a "default" client (SSL23_method) does not talk to my server.
>
> Is there a description which versions of TLS and SSL should be able
> to "talk" with each other? Here is my table of testing with openssl
> s_server/s_client; please let me know whether this is expected
> behaviour, and how I can solve my problem with "normal" clients.
[table deleted]
As you just found out, SSLv2, SSLv3, and TLSv1 do interoperate in their
pure versions. A TLSv1 server will only interporate with TLSv1 clients,
that means more or less, other OpenSSL clients.
Clients like Netscape only speak SSLv2/3, so you must support at least
SSLv3 for real world applications. At least actual versions of Outlook
Express (5.0?!, I would have to ask the colleague) support TLSv1, according
to my logfiles.
Anyway, to make thinks more complicated, clients that do support SSLv2
send an SSLv2 greeting with the option to use a newer (SSLv3/TLSv1)
protocol. To understand this greeting, you must at least have SSLv2
enabled, even if you don't want to use it.
So probably you want to use SSL23_method with SSL_OP_NO_SSLv2.
So much for the technical things. Please don't ask me about the patent
issues :-)
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
