[Serusers] TLS comments
Cesc
cesc.santa at gmail.com
Wed Feb 1 11:44:49 CET 2006
On 2/1/06, Klaus Darilion <klaus.mailinglists at pernau.at> wrote:
> Hi!
>
> I've tried the new TLS module:
>
> 1. It breaks compatibility with old TLS stack: Even when configured to
> use TLSv1, it sends an SSLv2 compatible HELLO:
>
> server2:~# ssldump
> New TCP connection #1: 10.10.0.41(33107) <-> 10.10.0.42(5063)
> 1 1 0.0088 (0.0088) C>S SSLv2 compatible client hello
> Version 3.1
>
>
> I do not know if this is a problem with the new or the old stack.
> Further I do not know what other TLS enabled SIP products use. Do they
> accept SSL compatible HELLOs?
>
Klaus, i don't think this is a bug ... i think that the hello is
always v2 and then (with the server hello message) the handshake is
upgraded to v3 or tlsv1. This way, you can have an sslv2-only client
try connecting to any server, but the server will send back sslv3 or
tlsv1 server hello, thus disconnecting the client.
Have not checked this ... but i think it is the way it is supposed to work.
Cesc
More information about the sr-users
mailing list