Ray wrote:
> What about enabling this by default when it's available, something > like if(!conn->data->set.ssl_disable_scsv) > SSL_CTX_set_mode(connssl->ctx, SSL_MODE_SEND_FALLBACK_SCSV), and > something could be put in CURLOPT_SSL_OPTIONS to allow the user disable > it like was done for BEAST, like CURLSSLOPT_ALLOW_DOWNGRADE_ATTACK would > set ssl_disable_scsv true. My understanding is that SSL_MODE_SEND_FALLBACK_SCSV should be set if and only if the TLS/SSL session being established is itself an attempt to establish a connection with a fallback TLS/SSL version following a previous handshake failure. It should not be set by default. Does libcurl currently attempt any fallback itself? If it just uses OpenSSL's own SSLv23_method, then I don't think there's an issue. In that case, I don't think it is possible for a man in the middle to force a fallback to SSL3. I'm sure someone will correct me if that's incorrect. Mark
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
