Hi openssl.org,

I just wanted to let you know about an issue with the comments in ssl.h.

These exist in 1.0.1j and 1.0.2-beta3. It is in the source code, so I
don't think the OS version is applicable.

The specific lines are:

const SSL_METHOD *SSLv23_method(void) /* SSLv3 but can rollback
to v2 */
const SSL_METHOD *SSLv23_server_method(void); /* SSLv3 but can rollback
to v2 */
const SSL_METHOD *SSLv23_client_method(void); /* SSLv3 but can rollback
to v2 */

In fact, these methods try to establish a TLSv1 connection and fallback
to SSLv3 (and then v2 if available).

Here's what the docs at:
https://www.openssl.org/docs/ssl/SSL_CTX_new.html say:

... a client will send out TLSv1 client hello messages including
extensions and will indicate that it also understands TLSv1.1, TLSv1.2
and permits a fallback to SSLv3.

Anyway, I thought I'd let you know about this.

Thanks!

-Rich



______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-***@openssl.org
Automated List Manager ***@openssl.org