On 05.11.2014 17:00, Viktor Dukhovni wrote:
On Wed, Nov 05, 2014 at 12:18:05PM +0000, Philip Bellino wrote:
Jeffrey,
May I ask why you included "no-ssl2" as an option to "config?
Is only adding "no-ssl3" not sufficient enough to fully disable SSLv3?
No. If you leave SSLv2 enabled, and disable SSLv3, then in many
cases you always get SSLv2! SSL/TLS clients advertise a range of
protocols (min, max) not a list. If the "min" is SSLv2 and SSLv3
is disabled then the "max" is also SSLv2, unless explicitly disabled
by the application, or use extensions forces SSLv3 or later.
Well, the ClientHello message only allows to advertise the highest
protocol version the client speaks, it is expected that the client
speaks also all lower versions. Therefore, when a client isn't able or
doesn't want to speak e.g. SSLv2, it has to wait for the ServerHello and
to end the connection when the server selects an unwanted protocol version.
Ciao,
Richard
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org