[openssl-users] Does openssl server always choose highest TLS version offered?

Viktor Dukhovni openssl-users at dukhovni.org
Sat Nov 7 23:25:17 UTC 2015

On Sat, Nov 07, 2015 at 11:04:49PM +0000, Matt Caswell wrote:

> There are 3 scenarios for the record layer version used by an OpenSSL
> client in the initial ClientHello (at least this is the case for 1.0.2
> and I believe it is also the case for 1.0.1 and 1.0.0. 0.9.8 is slightly
> different):
> - the lowest supported non-disabled version is SSL2 and there are SSL2
> ciphers offered by the client, in which case an SSL2 compat ClientHello
> is used and there is no record layer version.
> - there are no SSL2 ciphers offered, SSLv3 is enabled and TLSv1.0 is
> disabled in which case SSLv3.0 is used as the record layer version.
> - in all other cases TLSv1.0 is used as the record layer version
> regardless of which protocols are disabled.
> Note that the last scenario means that TLS1.0 can be used as the initial
> ClientHello record version even if TLS1.0 has been disabled.
> You are correct about the contiguous range and "holes".

Thanks for the clarification.  My understanding was based on
exploring the semantics of "holes" in the range of supported
protocols.  It seems I jumped to the conclusion that the client
always uses the low end of its supported versions at the record
layer, based only on observations with SSL 2.0, SSL 3.0 and TLS
1.0 where this happens to agree with the more complete picture.

A three-way choice between SSL 2.0, SSL 3.0 or TLS 1.0 for the
initial record layer version makes sense.


More information about the openssl-users mailing list