[openssl-dev] TLS session ticket extension problem when using the ssl23_client_hello method
Ian McFadries (imcfadri)
imcfadri at cisco.com
Thu Jul 23 14:21:31 UTC 2015
I do call SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3) so the client hello message starts with a TLSv1.2, and will negotiate as low as TLSv1.0. Under this context, the ssl23_client_hello method is being called
-----Original Message-----
From: openssl-dev [mailto:openssl-dev-bounces at openssl.org] On Behalf Of Viktor Dukhovni
Sent: Thursday, July 23, 2015 9:40 AM
To: openssl-dev at openssl.org
Subject: Re: [openssl-dev] TLS session ticket extension problem when using the ssl23_client_hello method
On Thu, Jul 23, 2015 at 01:19:24PM +0000, Ian McFadries (imcfadri) wrote:
> I have encountered a problem with EAP-FAST PACs when switching our
> implementation of OpenSSL from a context that supports TLSv1.0 only to
> a context that supports negotiation to the highest available TLS version.
Just call:
SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3)
(just the no-v2 option suffices, but you should avoid v3 also).
Once SSLv2 is disabled, the client HELLO will again include SSLv3/TLS extensions.
--
Viktor.
_______________________________________________
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
More information about the openssl-dev
mailing list