Glen Zorn wrote:
Glen Zorn wrote:
Section 3 says "TLS clients MUST NOT send SSL 2.0 CLIENT-HELLO
messages."
and "TLS servers MUST NOT negotiate or use SSL 2.0" and later "TLS
servers
that do not support SSL 2.0 MAY accept version 2.0 CLIENT-HELLO
messages as
the first message of a TLS handshake for interoperability with old
clients."
Taken together, I find these statements quite confusing, if not
outright
self-contradictory. Maybe, a "However" might fix the problem, though:
TLS servers MUST NOT negotiate or use SSL 2.0; however, TLS
servers
MAY accept SSL 2.0 CLIENT-HELLO messages as the first message of a
TLS handshake in order to maintain interoperability with legacy
clients.
Maybe I just don't understand the word "use". It seems like if a server
accepts a protocol message it's using the protocol...
With "negotiate" I meant returning a ServerHello handshake message with
that version number (neither an SSL 2.0 SERVER-HELLO, nor an SSLv3
ServerHello with a server version of { 0x02,0x00 }).
With "use" I meant to successfully complete the handshake and start
exchanging application data protected under protocol version {0x02,0x00}.
The Server accepts the SSL 2.0 CLIENT-HELLO protocol data unit (PDU),
but not the SSL 2.0 protocol. If there are no SSLv3 or TLS cipher
suites in that CLIENT-HELLO, or if the (version) field of the
SSL 2.0 CLIENT-HELLO does not indicate at least 3.0, then the server
still MUST abort.
-Martin
_______________________________________________
Ietf mailing list
Ietf(_at_)ietf(_dot_)org
https://www.ietf.org/mailman/listinfo/ietf