Re: SSL 3.0 and older ciphers selected in applications
On Mon, Dec 08, 2014 at 01:20:39PM +0100, Daniel Pocock wrote:
> >> Just one other point: if somebody is trying sending the client hello
> >> using SSL v2 record layer but indicating support for TLS v1.0, should
> >> TLSv1_method or SSLv23_method accept that?
> > I would expect that both should support that.
>
> With TLSv1_method and reSIProcate/OpenSSL on wheezy it fails with
>
> error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
>
> Error code = 336130315 file=s3_pkt.c line=348
So I start an s_server with:
openssl s_server -tls1
And then:
openssl s_client: TLSv1
openssl s_client -tls1: TLSv1
I tried the s_server and s_client on both jessie and wheezy. This
should just work.
If both sides drop the -tls1 of course changes to TLSv1.2.
But it really should always work, and if doesn't I'd argue that's
a bug.
But you say that it sends an SSLv2 compatible client hello. By
default it shouldn't be doing that unless you change the ciphers
suite to include SSLv2 ciphers and aren't using any extentions,
and as far as I know you currently can't disable extentions in
either wheez or jessie.
Kurt
Reply to: