-
Enhancement
-
Resolution: Fixed
-
P3
-
1.0, 1.0.1, unknown, 1.0.2, 1.4.0
-
beta2
-
generic, x86
-
generic, linux, windows_nt, windows_2000
Name: krT82822 Date: 09/20/99
This request for enhancement relates to the Java Secure Socket
Extension EA release. When an SSL handshake is begun with
the code:
SSLSocketFactory f = context.getSocketFactory();
SSLSocket connection = null;
try {
connection = (SSLSocket)f.createSocket(hostname,port);
} catch(java.net.UnknownHostException unknown) {
unknown.printStackTrace();
} catch(java.io.IOException io) {
io.printStackTrace();
}
The client by default sends an SSL version 2 hello to the
server. This is because, according to Jeff Nisewanger <###@###.###>:
"many implementations will want to send an SSL V2 client
hello in order to more cleanly detect and report handshake negotiation failures when connecting to old servers which only support SSL V2. Sending a V3 ClientHello to a server that only supports SSL V2 can result in a hung connection or a seemingly random IO exception from the client's perspective. Always sending a V2 ClientHello initially makes it possible to detect that failure mode. Since most SSL V3 client implementations will send a V2 ClientHello upon first connection to a server it is normal for even SSL servers and implementations which do
not otherwise implement SSL V2 to support receiving an SSL V2
ClientHello as documented in Appendix E of the SSL V3 specification.
See http://home.netscape.com/eng/ssl3/4-APPN.HTM#E for details."
Although many servers do support v.2 client hellos, according
to the same SSL V3 specification cited above:
"Warning: The ability to send Version 2.0 client hello messages will be phased out with all due haste. Implementors should make every effort to move forward as quickly as possible. Version 3.0 provides better mechanisms for transitioning to newer versions."
For this reason, our SSL server, does NOT support a v.2 client hello. Upon receiving the v.2 client hello packets, it interprets them incorrectly and terminates the connection.
While I understand that much of the time it might be
desirable to send a v.2 client hello (for the reasons Jeff
wrote above), what I would like is a function such as forceV3ClientHello(), that I can explicity call to force the
client to send an SSL v.3 hello instead of an SSL v.2 hello.
----------
9/20/99 eval1127@eng -- there appear to be some similar bug reports already in our system. Am filing this as new bug as-is. Sorry if it's a dupe of an existing bug #.
(Review ID: 95452)
======================================================================
- duplicates
-
JDK-4416068 Some sites don't like our clientHello message
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-