On 10/17/2014 01:24 AM, Salz, Rich wrote:
It does not matter who you talk to.  With a POODLE attack, your content
can be decrypted.  Cookies, etc., were just used as an example.

If OpenSSL talks to OpenSSL, and both ends have been set up with the SSLv23_method, and SSL_CTX_set_options has not been used to disable all TLS versions, then SSL 3.0 will never be negotiated, and attacks on SSL 3.0 are a non-issue. Even if you do not use TLS_FALLBACK_SCSV at all, or OpenSSL versions which do not support it.

So it does matter who you talk to.

Florian Weimer / Red Hat Product Security
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to