Salz, Rich <>:

Disabling ssl3 is a good thing.  But set the fallback because silently
> dropping from tls 1.2 to tls 1.1 is bad.

All this assumes that your client application *does* explicitly fall back
from TLS 1.2 to TLS 1.1, instead of just relying on automatic protocol
version negotiation. If you never do that (and I suspect you don't), your
client has no need for TLS_FALLBACK_SCSV. Do NOT set this, except for
fallback connections that downgrade the protocol version.


Reply via email to