On Wednesday, October 15, 2014 17:26:53 Mark Adams wrote: > Ray wrote: > > What about enabling this by default when it's available, something > > like if(!conn->data->set.ssl_disable_scsv) > > SSL_CTX_set_mode(connssl->ctx, SSL_MODE_SEND_FALLBACK_SCSV), and > > something could be put in CURLOPT_SSL_OPTIONS to allow the user disable > > it like was done for BEAST, like CURLSSLOPT_ALLOW_DOWNGRADE_ATTACK would > > set ssl_disable_scsv true. > > My understanding is that SSL_MODE_SEND_FALLBACK_SCSV should be set if and > only if the TLS/SSL session being established is itself an attempt to > establish a connection with a fallback TLS/SSL version following a previous > handshake failure. It should not be set by default. > > Does libcurl currently attempt any fallback itself?
libcurl does implement a fallback to SSLv3 with NSS, at least. Ray's patch disables it, which I believe is the right approach to take at this point. Kamil > If it just uses > OpenSSL's own SSLv23_method, then I don't think there's an issue. In that > case, I don't think it is possible for a man in the middle to force a > fallback to SSL3. I'm sure someone will correct me if that's incorrect. > > Mark ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
