[gnutls-devel] GnuTLS | gnutls_cli_debug / test_ssl3 don't detect some old SSLv3 servers (#958)

Development of GNU's TLS library gnutls-devel at lists.gnutls.org
Mon Mar 23 17:10:51 CET 2020

Daniel Lenski commented:

> Thanks for reporting this. I didn't know that such servers still existed.

I believe it's a Cisco VPN Concentrator 3000… I suspect that there are more than a few still in use.

> The request makes sense, but to provide more background RFC6101 (final SSL3.0 draft - draft-freier-ssl-version3-01 if I remember well) servers are expected to ignore TLS extensions (fields that come after the client hello).

Aha, I see now, thanks. Per [](https://tools.ietf.org/html/rfc6101#section-5.6.1):

    Forward compatibility note: In the interests of forward
    compatibility, it is permitted for a client hello message to include
    extra data after the compression methods.  This data must be included
    in the handshake hashes, but must otherwise be ignored.

> So this server is implementing a draft SSL3.0 version, rather than the final protocol.

Do you have a suggestion for how this draft SSL 3.0 version ought to be described in testing?

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/958#note_309848127
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20200323/5e049496/attachment.html>

More information about the Gnutls-devel mailing list