Hi, >> [...] >> Having said that, I'm not sure which clients on which operating systems >> are SSL 3.0 only. >> [...]
Having read a bit more... I suspect (infer) that IE6 and possibly more things on Windows XP are the client side problems. I also suspect (infer) that the "SSL 3.0 only" (no TLS) problems are with old web *servers* rather than a proliferation of clients other than IE6. > if I understand the situation correctly, almost nobody uses SSLv3 since > it was quickly superseded by the newer TLS variants. But the initial > connection setup is similar between SSLv2 and SSLv3, while for TLS it is > entirely different and usually one uses the SSLv2 variant with > additional information that TLS is supported, if the other endpoint also > supports TLS, the protocol will then be upgraded. You can tell OpenSSL > to support only SSLv2, only SSLv3, only TLS or all three variants > together. But you cannot specifically exclude SSLv3 and still allow > SSLv2 and TLS. Thanks for the extra details. AIUI, SSLv2 and SSLv3 are more different to each other than SSLv3 and TLS1.0 ...but I suspect that's because I'm mostly familiar with the "SSLv2 variant with additional information that TLS is supported". >> [...] >> Have you seen this article by Google about TLS_FALLBACK_SCSV? >> [...] > > Yes. Whether that security measure is supported depends on the version > of the underlying SSL library, I think it is incorporated in OpenSSL > 1.0.1j. I'm unsure whether anything special needs to be done to activate > the feature. I wonder if there's a test site that will connect to a webserver and tell you if it supports that? > Personally, I think the big mess of SSL/TLS protocol versions, extension > features and cipher suites is so hideously complex by now that there > will always be some more hidden vulnerabilities %-] For anything truly > security critical I would try to use an alternative protocol with a less > convoluted design and with stronger default crypto algorithms. I agree. We'd like to run a good-and-proper SSL service but I think we'd rather run a highly compatible service when we have a choice. This trade-off starts to make sense when you take into consideration all the potential vulnerabilities that exist in even the newer versions. Regards, @ndy -- [email protected] http://www.ashurst.eu.org/ 0x7EBA75FF _______________________________________________ Chicken-users mailing list [email protected] https://lists.nongnu.org/mailman/listinfo/chicken-users
