On 10/17/2014 01:24 AM, Salz, Rich wrote:
It does not matter who you talk to. With a POODLE attack, your content can be decrypted. Cookies, etc., were just used as an example.
If OpenSSL talks to OpenSSL, and both ends have been set up with the SSLv23_method, and SSL_CTX_set_options has not been used to disable all TLS versions, then SSL 3.0 will never be negotiated, and attacks on SSL 3.0 are a non-issue. Even if you do not use TLS_FALLBACK_SCSV at all, or OpenSSL versions which do not support it.
So it does matter who you talk to. -- Florian Weimer / Red Hat Product Security ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List email@example.com Automated List Manager majord...@openssl.org