> -----Original Message----- > From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Jeffrey Walton > Sent: Monday, June 11, 2012 8:38 PM > To: openssl-users@openssl.org > Subject: Re: Configure OpenSSL to skip SSL1 & SSL2? > > On Mon, Jun 11, 2012 at 4:32 PM, Garrison, Jim (ETW) > <jim.garri...@nike.com> wrote: > > I am trying to connect to a subversion server that requires https, and > > for some reason, is configured to require SSL3 or TLS1. It refuses to > > respond to SSL or SSL2. > You are lucky its responds to SSLv3. I would shut it down too (TLSv1 is not > too > far away for me, either).
So, the question remains. Is this something that can be configured at runtime? Also, If the server disallows certain protocols, shouldn't its SSL implementation respond with a negotiation sequence when the client attempts to use a disallowed protocol? Is the total lack of response to an SSL1 CLIENT HELLO surprising, or is that the expected behavior? The server is Apache. > > > I’ve done some troubleshooting using s_client and confirmed that if I > > let s_client start with the default protocol the server never responds > > to the CLIENT HELLO: > > > > $ openssl s_client -connect server.domain.com:443 > > CONNECTED(00000003) > > write:errno=104 > > --- > > no peer certificate available > > --- > > No client certificate CA names sent > > --- > > SSL handshake has read 0 bytes and written 320 bytes > > --- > > New, (NONE), Cipher is (NONE) > > Secure Renegotiation IS NOT supported > > Compression: NONE > > Expansion: NONE > > --- > > Watching this in Wireshark I see: > > Client Server > > -------syn----------> > > <------ack----------- > > --SSL CLIENT HELLO--> > > <------ack----------- > > [60 second pause] > > <------rst----------- > > If I tell s_client to use ssl2 the server immediately closes the connection. > > With ssl3 and tls1 I can establish a connection. > > > > Is there any way to configure openSSL (when being used from inside the > > subversion client) to skip SSL and SSL2, and start the negotiation > > with TLS or SSL3? > > > > I've found the OpenSSL config file, but that seems to control only > > certificate generation.
