Re: How to fallback from TLS to SSLV3?

Tue, 28 Aug 2007 05:08:18 -0700 

To give more information on the issue, this is the code which we use .

      meth = SSLv23_method();
      newRegID = SSL_CTX_new(meth)
      SSL_CTX_set_options(newRegID, SSL_OP_NO_SSLv2);

My understanding was that the above code should tell that both SSLV3 and
TLSV1 are supported and server should choose one of them. But it does not
work with the WS I specified. It works fine, when I include SSL_OP_NO_TLSv1
in SSL_CTX_set_options. Is there any other way to tell that both SSLV3 and
TLSV1 are supported and let the server choose one of them?

Thanks,
Ravi.


On 8/28/07, ravi shankar <[EMAIL PROTECTED]> wrote:
>
> Hi Lutz,
>
> Yes. We use sslv23_method with SSL_OP_NO_SSLv2 in SSL_CTX_set_options. In
> this case, how do I specify that both SSLv3 and
> TLSv1 are valid in my client hello? Is it specified in the cipher list? I
> use the cipher setting as " DEFAULT:@STRENGTH".
>
> Thanks,
> Ravi.
>
> On 8/28/07, Lutz Jaenicke < [EMAIL PROTECTED]> wrote:
> >
> > ravi shankar wrote:
> > > We have a SSL client and we are having issues while connecting to some
> >
> > > oracle application servers which does not support TLS. By default, our
> > > client tries TLS and the server sends an alert message for the client
> > > hello instead of sending server hello. If we disable TLS and use
> > > SSLV3, the connection goes fine.
> > >
> > > Is there any SSL_CTX option or api to tell that try TLS, if it does
> > > not work, fallback to SSLV3? We do not want to completely disable TLS
> > > by setting the option SSL_OP_NO_TLSv1 in SSL_CTX_set_options.
> > I fully understand you correctly: you are using a sslv23_method() (with
> > SSL_OP_NO_SSLv2 in SSL_CTX_set_options) to connect to a server and the
> > handshake fails?
> > This scenario should send a SSLv2 compatible client hello with SSLv3 and
> >
> > TLSv1 being offered as valid. The server should then choose TLSv1 as
> > best possible option if supported and SSLv3 if TLSv1 is not available...
> >
> > Best regards,
> >     Lutz
> > ______________________________________________________________________
> > OpenSSL Project                                 http://www.openssl.org
> > User Support Mailing List                     openssl-users@openssl.org
> > Automated List Manager                           [EMAIL PROTECTED]
> >
>
>

Reply via email to