On 2/1/06, Klaus Darilion klaus.mailinglists@pernau.at wrote:
Hi!
I've tried the new TLS module:
- It breaks compatibility with old TLS stack: Even when configured to
use TLSv1, it sends an SSLv2 compatible HELLO:
server2:~# ssldump New TCP connection #1: 10.10.0.41(33107) <-> 10.10.0.42(5063) 1 1 0.0088 (0.0088) C>S SSLv2 compatible client hello Version 3.1
I do not know if this is a problem with the new or the old stack. Further I do not know what other TLS enabled SIP products use. Do they accept SSL compatible HELLOs?
Klaus, i don't think this is a bug ... i think that the hello is always v2 and then (with the server hello message) the handshake is upgraded to v3 or tlsv1. This way, you can have an sslv2-only client try connecting to any server, but the server will send back sslv3 or tlsv1 server hello, thus disconnecting the client. Have not checked this ... but i think it is the way it is supposed to work.
Cesc