OpenSSL compliance with Linux distributions

Benjamin Kaduk bkaduk at akamai.com
Wed Aug 5 20:46:16 UTC 2020


On Wed, Aug 05, 2020 at 10:28:26PM +0200, Patrick Mooc wrote:
> Thank you very much Kyle for your quick and clear answer.
> 
> The reason why I want to upgrade OpenSSL version, is that I encounter a
> problem with 1 frame exchange between client and server.
> 
> This frame is the first packet sent from client to server (Client Hello
> Packet) and the protocol used for this packet is SSLv2.
> I don't understand why, because I force the use of TLSv1 (in ssl.conf file
> as in application software), but only for this first exchange packet, SSLv2
> is used. All other packets are well using TLSv10 as configured.
> 
> I have also searched for forcing the use of TLSv10 ciphers in OpenSSL
> configuration and in application software, but I didn't succeed doing so.
> 
> That's why I had in idea of upgrading OpenSSL version to avoid the use of
> SSLv2 protocol.
> 
> 
> Thus, if you have any idea of how to solve my problem without upgrading
> OpenSSL version or Linux distribution, It would be very nice.

Using an "SSLv2-compatible" ClientHello is rather distinct from actually using
the SSLv2 protocol; I believe that the former is what is happening for you.

IIRC sending any TLS extension with the ClientHello suppresses the use of the
v2-compatible format, so you might be able to do that.  (I don't remember offhand
which extensions are implemented in that old of an OpenSSL version, and
whether they're enabled in the default build, though.)

-Ben


More information about the openssl-users mailing list