Thanks for the patch. Is there a way to compile without the patch? I think I would rather 'config no=ssl3' and omit the additional complexity. Its additional protocol complexity and heartbleed is still fresh in my mind.
Also, are there any test cases that accompany the patch? I'm trying to figure out when, exactly, SSL_MODE_SEND_FALLBACK_SCSV needs to be set (using the sources as a guide). On Tue, Oct 14, 2014 at 7:46 PM, Bodo Moeller <bmoel...@acm.org> wrote: > Here's a patch for the OpenSSL 1.0.1 branch that adds support for > TLS_FALLBACK_SCSV, which can be used to counter the POODLE attack > (CVE-2014-3566; https://www.openssl.org/~bodo/ssl-poodle.pdf). > > Server-side TLS_FALLBACK_SCSV support is automatically provided if you use > the patch. Clients that do fallback connections downgrading the protocol > version should use SSL_set_mode(ssl, SSL_MODE_SEND_FALLBACK_SCSV) for such > downgraded connections. > > The OpenSSL team will follow up with official releases that will include > TLS_FALLBACK_SCSV support. Meanwhile, if you can't simply disable SSL 3.0, > you may want to use this patch. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org
