Salz, Rich <rs...@akamai.com>: Disabling ssl3 is a good thing. But set the fallback because silently > dropping from tls 1.2 to tls 1.1 is bad. >
All this assumes that your client application *does* explicitly fall back from TLS 1.2 to TLS 1.1, instead of just relying on automatic protocol version negotiation. If you never do that (and I suspect you don't), your client has no need for TLS_FALLBACK_SCSV. Do NOT set this, except for fallback connections that downgrade the protocol version. Bodo
