Quite a good link. However it is interesting in this quote:
The RFC also says that servers MUST accept that clients send extensions (and ignore the ones it cannot handle), and MUST accept that clients may signal a higher version than they support. Unfortunately, what the RFCs say, and what got implemented in the server can be two very different things. There is a reason why RFC 5746 (The Renego patch) includes a reminder about what the RFCs say on those two points.
Well, what can you say. It is all too similar to a lot of Internet browsing.
You have to allow for it to be a reply to a request. What we need to do is create an environment whereby that initial handshake doesn't allow all, doesn't allow by default, looks for certain strings....guess to some extent that may happen already and you to become pwoned....
So to start with not allowing anything but still recognize the link it needs....love to be able to have that signed in my name. --
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke