[gnutls-devel] GnuTLS | gnutls_cli_debug / test_ssl3 don't detect some old SSLv3 servers (#958)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Mon Mar 23 17:10:51 CET 2020
Daniel Lenski commented:
> Thanks for reporting this. I didn't know that such servers still existed.
I believe it's a Cisco VPN Concentrator 3000… I suspect that there are more than a few still in use.
> The request makes sense, but to provide more background RFC6101 (final SSL3.0 draft - draft-freier-ssl-version3-01 if I remember well) servers are expected to ignore TLS extensions (fields that come after the client hello).
Aha, I see now, thanks. Per [5.6.1.3](https://tools.ietf.org/html/rfc6101#section-5.6.1):
```
Forward compatibility note: In the interests of forward
compatibility, it is permitted for a client hello message to include
extra data after the compression methods. This data must be included
in the handshake hashes, but must otherwise be ignored.
```
> So this server is implementing a draft SSL3.0 version, rather than the final protocol.
Do you have a suggestion for how this draft SSL 3.0 version ought to be described in testing?
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/958#note_309848127
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200323/5e049496/attachment.html>
More information about the Gnutls-devel
mailing list