On 2010-06-26 00:32 PDT, Ivan Ristic wrote:
> It means that the server supports SSLv2 handshake, even though it may not
> support SSLv2 itself.
To be slightly more precise, it means the server accepts THE FIRST MESSAGE
of an SSL3 handshake from a client using the older SSL2 format.. It is
ONLY the first message of the handshake from the client that is done using
the old SSL2 format, not the entire handshake. All the messages after the
first are done using the newer SSL 3.x formats.
> Essentially it's an optimization. Instead of a client first requesting
> SSLv2 (with a SSLv2 handshake) and failing (if the server does not
> support it), then having to request SSLv3 or better (with a SSLv3
> handshake), the client can use the SSLv2 handshake to indicate support
> for newer protocols.
Well actually, the alternative to this scheme (where the ssl2 first message
served as the first message for both SSL2 and SSL3) was actually to try
sending SSL3 first, and if that failed, try again with SSL2.
This was a great idea 13 years ago when SSL3 was the new kid in town, and
most servers were still SSL2. In those days, ALL servers that supported SSL
supported SSL2, and just a few supported SSL3. If a client didn't ask for
SSL3 in its first message, it would always get SSL2, so a client who wanted
SSL3 had to ask for it first. This technique allowed the client to send a
single message that could be understood by both SSL3-capable servers and by
SSL2 only servers. SSL2 only servers would complete the handshake using
SSL2, and SSL3-capable servers would complete the handshake with SSL3.
But by 2005, the vast majority of servers were SSL3 capable, and very few
servers were left on Earth that still only supported SSL2. SSL3 brought
with it many new optional features that were rather desirable, but could
ONLY be used if the client sent its first message in SSL3 format, not if
it sent that message in the older SSL2 format. So, as long as clients
continued to attempt to use this old backward-compatible SSL2 format hello,
they were limited to a subset of the SSL3 features.
So, sometime in the middle of the first decade of the third millennium,
new browsers all stopped sending the old SSL2 format in their first
attempt to contact a server. Then it came to light that there were numerous
servers that supported SSL3, but ONLY when the first message was in the
older SSL2 format. They actually did NOT support the newer SSL3 format
first message at all. So browsers switched to sending the newer SSL3 format
message in that first attempt, so that they could ask for all those cool new
features. If that failed, then the browsers would "fall back" to using the
older SSL2 format first message.
Now, 14 years after the SSL 3.0 spec was written, the internet has ALMOST
reached the state where all the SSL servers can understand SSL 3 messages
starting from the first message. That's sad. But it's human nature.
Humans resist nothing more than they resist change.