Peter Sylvester wrote:
>
> But, in the light of possible other extensions,
> it may be also interesting to investigate a bit about the server's SSL
> stack, there are not too many IMO, and those that do not
> ignore extra data on a tls client hello are even rare, I may be wrong,
> but one openssl seemed to be one of them. And that's already years ago
> I think.
Investigating the server's SSL stack is not easy because XFB Gateway has
its own stack in private and close source.

> Besides extensions, TLS doesn't really offer much compared to SSLV3,
> so just using sslv3 is a pretty safe fallback combined with the age of
> the server.
I have seen different behaviors when using curl --sslv3 with fedora
openssl and vanilla openssl :

With fedora's openssl, the client hello have no extension. So Here, the
workaround works.

With vanilla openssl, the client sends the hello with sni extension,
then the server replies with a
 SSL version = TLS and the handshaking fails because the client accepts
only SSL version = SSLv3.

The --nosni patch for curl would be useful in my case.
-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2009-07-24