On 10/15/2014 08:58 AM, Ray Satiro wrote:
I read today of a new method to decrypt SSL called POODLE. If you haven't read of it you should. It works by using SSL fallback behavior to get SSLv3 which can now be decrypted [1][2].
The OpenSSL change is unnecessary because the OpenSSL code does not actually fall back to SSL 3.0.
The only TLS backend which implements insecure fallback to SSL 3.0 is NSS. Perhaps that fallback code can be removed completely?
-- Florian Weimer / Red Hat Product Security ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
