According to dontspam-tzeruch(_at_)ceddec(_dot_)com:
This is happening with TLS - no one does TLS. Everyone does SSL2 or SSL3
compelete with impelementation bugs that need to be compensated for so
they are rarely true SSL2 or SSL3. So there are three "definitions" of
the protocol and lots of small implementation nits that must be coded for.
Actually this isn't the case. TLS code is available and interoperability
testing has been occuring prior to ending up in products. We got the TLS
release available (and C2Net has it the current released version of Stronghold)
and other vendors have been doing interoperability testing with the SSLeay
implementation to iron out any "interesting" areas. This is done outside
of public view and basically at a technical implementors level.
Our intent is to avoid the problem of having to permanently allow for
broken implementations after one or more major vendors ship code that doesn't
follow the specification which is what happens when there is nothing to test
against and the specification is complex.
Tim.