4 Oct
2010
4 Oct
'10
6:21 p.m.
Andrei Pelinescu-Onciul writes:
The problem with SSLv23 is that it should use SSLv23
only when it acts
as server (if it uses SSLv23 when it acts as client a TLSv1 only server
will not allow it to connect). Moreover if you use SSLv23 you might end
up accepting a SSLv2 client. Theoretically we could workaround this in
the code by setting SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 (probably only
for the server part, the client would still have to support only TLSv1)
but I never tested it.
after i changed sr tls_method to SSLv23, sip-communicator was able to
establish tls connection and wireshark showed that negotiation resulted
in TLSv1 even when initial client hello was SSLv2.
so looks to me that it makes sense to have a new mode that only allows
TLSv1, but accepts either TLSv1 or SSLv2 initial client hello. i'll add
a tracker entry about it.
-- juha