httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: Older clients stopped working after server disabled SSLv3
Date Wed, 29 Oct 2014 03:16:21 GMT
On Wed, Oct 29, 2014 at 3:01 AM, Yann Ylavic <ylavic.dev@gmail.com> wrote:
> On Wed, Oct 29, 2014 at 2:43 AM, Yann Ylavic <ylavic.dev@gmail.com> wrote:
>> Maybe we should introduce another protocol keywork, namely ANY, which
>> would opt-in SSLv23 (SSLv2Hello), and not disable single protocol
>> configuration in any case like in the patch proposed by Mikhail.
>
> So that "SSLProtocol ANY -SSLv3" would still negociate TLSv1.x only
> but would accept SSLv2Hello from client.
> Clients using a v2Hello won't send TLS extensions though (while the
> ServerHello should be TLSv1.0), so if this may solve compatibiliy
> issues, I'm not sure it is secure to use it (no full TLS/extensions
> handshake)...

Actually I tested the above with my earlier patch (slightly modified
to initialize "ANY" with SSL_PROTOCOL_ALL|SSL_PROTOCOL_ANY instead of
SSL_PROTOCOL_ANY alone) and it seems to work.

With OpenSSL 0.9.8o (debian squeeze) :
- openssl s_client using SSLv23 connects with SSLv2Hello and httpd
handshakes correctly with TLSv1,
- openssl s_client using TLSv1 connects with SSLv3Hello (version
TLSv1) and httpd handshakes correctly with TLSv1,
- openssl s_client using SSLv3 connects with SSLv3Hello (version
SSLv3) and httpd refuses to handshake.

Regards,
Yann.

Mime
View raw message