which SSL client protocols work with which server protocols?
I've now built a framework in test_ssl to test all client protocols (SSL2, SSL3, SSL23, TLS1) against all server protocols, and here's what I've come up with. Servers are along the X axis, and clients are on the Y axis. "Yes" means that that client protocol can talk to that server protocol. SSL2 SSL3 SS23 TLS1 SSL2 yes no no no SSL3 yes yes yes no SSL23 no no yes no TLS1 no no yes yes I'm a bit surprised by the facts that (1) an SSL2 client can't connect to an SSL23 server, and (2) an SSL23 client can *only* connect to an SSL23 server. Can anyone verify that these combos (the results of testing with the Python framework) are indeed to be expected? Bill
I've now built a framework in test_ssl to test all client protocols (SSL2, SSL3, SSL23, TLS1) against all server protocols, and here's what I've come up with. Servers are along the X axis, and clients are on the Y axis. "Yes" means that that client protocol can talk to that server protocol.
SSL2 SSL3 SS23 TLS1 SSL2 yes no no no SSL3 yes yes yes no SSL23 no no yes no TLS1 no no yes yes
I'm a bit surprised by the facts that (1) an SSL2 client can't connect to an SSL23 server, and (2) an SSL23 client can *only* connect to an SSL23 server. Can anyone verify that these combos (the results of testing with the Python framework) are indeed to be expected?
Sure enough, in testing on my FC7 platform, which has a more modern version of OpenSSL (0.9.8e instead of the older 0.9.7l platform I was using), an SSL2 client *can* connect to an SSL23 server. And I got one of the above entries wrong: an SSL23 client can connect to an SSL2 server. I guess in the test harness, I'll just note the discrepancy, but not fail the test either way. And I'll add a note to the documentation. Bill
Here's the updated connection table: SSL2 SSL3 SS23 TLS1 SSL2 yes no yes no SSL3 yes yes yes no SSL23 yes no yes no TLS1 no no yes yes Given this, I think the client-side default should be changed from SSLv23 to SSLv3, and the server-side default should be SSLv23. Bill
Bill Janssen wrote:
Here's the updated connection table:
SSL2 SSL3 SS23 TLS1 SSL2 yes no yes no SSL3 yes yes yes no SSL23 yes no yes no TLS1 no no yes yes
Given this, I think the client-side default should be changed from SSLv23 to SSLv3, and the server-side default should be SSLv23.
I believe you are correct. I did some experiments with this a while ago after hitting problems connecting to some SSL servers although I can't remember the exact results now. More importantly, what you recommend is what Twisted does and I'd believe them more than me any time ;-). See Twisted's DefaultOpenSSLContextFactory [1] for the server side and ClientContextFactory [2] for the client side. Cheers, Matt [1] DefaultOpenSSLContextFactory, http://twistedmatrix.com/trac/browser/trunk/twisted/internet/ssl.py#L67 [2] ClientContextFactory, http://twistedmatrix.com/trac/browser/trunk/twisted/internet/ssl.py#L102 -- Matt Goodall, Pollenation Internet Ltd Technology House, 237 Lidgett Lane, Leeds LS17 6QR Registered No 4382123 A member of the Brunswick MCL Group of Companies w: http://www.pollenation.net/ e: matt@pollenation.net t: +44 113 2252500
participants (2)
-
Bill Janssen -
Matt Goodall