Since SSLv2 ClientHello doesn't contain extensions, for SNI-only site it is inconsistent to support SSL 2 handshake. There is already a note that SSL protocol doesn't support SNI, the same should be for SSL 2 handshake.
And here questions arise:
1. Why does my server support SSL 2 handshake? I have SSL 2 disabled!!!11
2. How do I turn it off? Should I change OpenSSL settings? Or recompile it with some specific options? Or should I manually modify the source?
Still confusing for me.
nginx developer suggested installing OpenSSL with FIPS support, when calomel.org admin had asked: how to deny the SSL v2.0 handshake when SSL v2.0 is disabled
But I have seen some servers with SSL 2 handshake compatibility and OpenSSL-FIPS in their signatures.
Also it is confusing to have a FIPS compliant server with a usual OpenSSL version, since there is SSL 2 handshake support.
My web server is PCI and FIPS compliant:
I do not have any special OpenSSL build on that server, it is the latest general release of OpenSSL.
- SSL2 and SSL3 are not allowed
If SSL is not allowed, why "SSL 2 handshake compatibility YES"?
Looking for this stuff currently: