On Friday 17 October 2014 06:56:48 Florian Weimer wrote: > On 10/15/2014 08:58 AM, Ray Satiro wrote: > > I read today of a new method to decrypt SSL called POODLE. If you > > haven't read of it you should. It works by using SSL fallback behavior > > to get SSLv3 which can now be decrypted [1][2]. > > The OpenSSL change is unnecessary because the OpenSSL code does not > actually fall back to SSL 3.0. > > The only TLS backend which implements insecure fallback to SSL 3.0 is > NSS. Perhaps that fallback code can be removed completely?
I am all for removing the fallback code in upstream and Fedora but would be careful with RHEL. There is an ongoing discussion in RHBZ: https://bugzilla.redhat.com/CVE-2014-3566 Kamil ------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
