To give more information on the issue, this is the code which we use . meth = SSLv23_method(); newRegID = SSL_CTX_new(meth) SSL_CTX_set_options(newRegID, SSL_OP_NO_SSLv2);
My understanding was that the above code should tell that both SSLV3 and TLSV1 are supported and server should choose one of them. But it does not work with the WS I specified. It works fine, when I include SSL_OP_NO_TLSv1 in SSL_CTX_set_options. Is there any other way to tell that both SSLV3 and TLSV1 are supported and let the server choose one of them? Thanks, Ravi. On 8/28/07, ravi shankar <[EMAIL PROTECTED]> wrote: > > Hi Lutz, > > Yes. We use sslv23_method with SSL_OP_NO_SSLv2 in SSL_CTX_set_options. In > this case, how do I specify that both SSLv3 and > TLSv1 are valid in my client hello? Is it specified in the cipher list? I > use the cipher setting as " DEFAULT:@STRENGTH". > > Thanks, > Ravi. > > On 8/28/07, Lutz Jaenicke < [EMAIL PROTECTED]> wrote: > > > > ravi shankar wrote: > > > We have a SSL client and we are having issues while connecting to some > > > > > oracle application servers which does not support TLS. By default, our > > > client tries TLS and the server sends an alert message for the client > > > hello instead of sending server hello. If we disable TLS and use > > > SSLV3, the connection goes fine. > > > > > > Is there any SSL_CTX option or api to tell that try TLS, if it does > > > not work, fallback to SSLV3? We do not want to completely disable TLS > > > by setting the option SSL_OP_NO_TLSv1 in SSL_CTX_set_options. > > I fully understand you correctly: you are using a sslv23_method() (with > > SSL_OP_NO_SSLv2 in SSL_CTX_set_options) to connect to a server and the > > handshake fails? > > This scenario should send a SSLv2 compatible client hello with SSLv3 and > > > > TLSv1 being offered as valid. The server should then choose TLSv1 as > > best possible option if supported and SSLv3 if TLSv1 is not available... > > > > Best regards, > > Lutz > > ______________________________________________________________________ > > OpenSSL Project http://www.openssl.org > > User Support Mailing List openssl-users@openssl.org > > Automated List Manager [EMAIL PROTECTED] > > > >