What does "SSL 2.0+ Upgrade Support" in SSL Labs test mean?

Document created by Ivan Ristić on Oct 29, 2010Last modified by Ivan Ristić on Oct 29, 2010
Version 4Show Document
  • View in full screen mode

In every SSL (or TLS) connection, before data can be safely sent over the channel, the parties must perform a handshake to agree on common encryption parameters. There are two handshake formats: the original format used in SSLv2 and the modern format used in SSLv3 and better protocols.


Virtually all SSL servers support SSLv3 and TLSv1 today, but back when the new handshake format was being introduced, virtually all servers only knew how to speak SSLv2. That caused a problem for SSLv3-aware clients: should they try with a SSLv3 handshake first, and fail back to SSLv2? Using that approach would have caused a significant performance penalty, considering that they'd be falling back to SSLv2 on virtually every connection.


For that reason, the SSLv2 handshake was retrofitted with an upgrade capabilty. Clients could use the old format, but specify a newer protocol version. SSLv3 servers and better would recognise the upgrade request and respond with SSLv3, although the initial handshake was in SSLv2 format.


The "SSL 2.0+ Upgrade Support" test in SSL Labs means that the server in question supports the upgrade from SSLv2 to a better protocol. The upgrade can be supported even when SSLv2 itself isn't, and there are no security issues associated with it. Of course, the support for the upgrade matters less and less these days, because modern browsers do not support SSLv2 nor they use the SSLv2-style handshake.