Peter Sylvester wrote:
>>> Besides extensions, TLS doesn't really offer much compared to SSLV3,
>>> so just using sslv3 is a pretty safe fallback combined with the age of
>>> the server.
>> I have seen different behaviors when using curl --sslv3 with fedora
>> openssl and vanilla openssl :
>>
>> With fedora's openssl, the client hello have no extension. So Here,
>> the workaround works.
>>
>> With vanilla openssl, the client sends the hello with sni extension,
>> then the server replies with a
>> SSL version = TLS and the handshaking fails because the client
>> accepts only SSL version = SSLv3.
>
> "vanilla" or "fedora" are not versions of openssl.

I agree, but fedora adds lots of patch.

> If the "client" sends a sni and the server responds with TLS, I
> do not see how the client can fail?

When client receives the hello server, it fails with error : invalid ssl
version. With --sslv3, the client wants sslv3 not tls.

> can you give the result of "openssl version"
> and then "openssl s_client -connect xfb:port -debug"
OpenSSL 0.9.8k
"openssl s_client -connect xfb:port -debug" doesn't work on a ftps server
because when opening connection it talks with FTP protocol. I don't
known how to do that.

-------------------------------------------------------------------
List admin: http://cool.haxx.se/cgi-bin/mailman/listinfo/curl-users
FAQ: http://curl.haxx.se/docs/faq.html
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2009-07-25