[sr-dev] about tls_method

Juha Heinanen jh at tutpro.com
Mon Oct 4 18:21:10 CEST 2010


Andrei Pelinescu-Onciul writes:

> The problem with SSLv23 is that it should use SSLv23 only when it acts
> as server (if it uses SSLv23 when it acts as client a TLSv1 only server
> will not allow it to connect). Moreover if you use SSLv23 you might end
> up accepting a SSLv2 client.  Theoretically we could workaround this in
> the code by setting SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 (probably only
> for the server part, the client would still have to support only  TLSv1)
> but I never tested it.

after i changed sr tls_method to SSLv23, sip-communicator was able to
establish tls connection and wireshark showed that negotiation resulted
in TLSv1 even when initial client hello was SSLv2.

so looks to me that it makes sense to have a new mode that only allows
TLSv1, but accepts either TLSv1 or SSLv2 initial client hello.  i'll add
a tracker entry about it.

-- juha



More information about the sr-dev mailing list