Gilles Hamel wrote:
> Peter Sylvester wrote:
>>
>> But, in the light of possible other extensions,
>> it may be also interesting to investigate a bit about the server's SSL
>> stack, there are not too many IMO, and those that do not
>> ignore extra data on a tls client hello are even rare, I may be wrong,
>> but one openssl seemed to be one of them. And that's already years ago
>> I think.
> Investigating the server's SSL stack is not easy because XFB Gateway
> has its own stack in private and close source.
bon, alors, this is already the result of an investigation. :-)
>
>> Besides extensions, TLS doesn't really offer much compared to SSLV3,
>> so just using sslv3 is a pretty safe fallback combined with the age of
>> the server.
> I have seen different behaviors when using curl --sslv3 with fedora
> openssl and vanilla openssl :
>
> With fedora's openssl, the client hello have no extension. So Here,
> the workaround works.
>
> With vanilla openssl, the client sends the hello with sni extension,
> then the server replies with a
> SSL version = TLS and the handshaking fails because the client accepts
> only SSL version = SSLv3.
"vanilla" or "fedora" are not versions of openssl.

If the "client" sends a sni and the server responds with TLS, I
do not see how the client can fail? The only known error is that
a server fails in case that there are additional data in the
client hello like the sni extension.

can you give the result of "openssl version"
and then "openssl s_client -connect xfb:port -debug"

-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2009-07-24