On 10/17/2014 01:24 AM, Salz, Rich wrote:
It does not matter who you talk to. With a POODLE attack, your content
can be decrypted. Cookies, etc., were just used as an example.
If OpenSSL talks to OpenSSL, and both ends have been set up with the
SSLv23_method, and SSL_CTX_set_options has not
On 10/16/2014 10:42 PM, Nou Dadoun wrote:
A few short (simple) questions about the use of TLS_FALLBACK_SCSV since
we’re currently upgrading to the latest openssl releases.
We don’t establish sessions with any other products than our own clients
and servers.
We’ve already disabled the use of
Salz, Rich rs...@akamai.com:
Disabling ssl3 is a good thing. But set the fallback because silently
dropping from tls 1.2 to tls 1.1 is bad.
All this assumes that your client application *does* explicitly fall back
from TLS 1.2 to TLS 1.1, instead of just relying on automatic protocol
version
: Re: Use of TLS_FALLBACK_SCSV
Salz, Rich rs...@akamai.com:
Disabling ssl3 is a good thing. But set the fallback because silently
dropping from tls 1.2 to tls 1.1 is bad.
All this assumes that your client application *does* explicitly fall back from
TLS 1.2 to TLS 1.1, instead of just
On Thu, Oct 16, 2014 at 4:42 PM, Nou Dadoun ndad...@teradici.com wrote:
...
We’ve already disabled the use of SSLv3 in both our client and server
releases going forward, is there any advantage in also using
TLS_FALLBACK_SCSV – i.e. will there be any benefit in connecting to our
already
It does not matter who you talk to. With a POODLE attack, your content can be
decrypted. Cookies, etc., were just used as an example.
Disabling ssl3 is a good thing. But set the fallback because silently dropping
from tls 1.2 to tls 1.1 is bad. It’s done during the handshake process as part
controlled scenario, I don’t think we’re vulnerable to
a POODLE attack unless there’s something I’m missing … N
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Salz, Rich
Sent: October-16-14 4:24 PM
To: openssl-users@openssl.org
Subject: RE: Use