Hi All, I have a question regarding SSL_MODE_SEND_FALLBACK_SCSV introduced in OpenSSL 0.9.8zc as part of a preventive measure for SSL 3.0 POODLE vulnerability.
I have client and server applications using OpenSSL for SSL/TLS communication. My question is that what will happen if I update my client applications with this OpenSSL patch( and also set SSL_MODE_SEND_FALLBACK_SCSV) and the Server Applications are NOT updated with the patch? The questions are: 1. Will this updated client set with TLS_FALLBACK will be able to work with un-updated Server(server using older version of OpenSSL where this FALLBACK mode is not set)? 2. Is it a good idea to hard code this option permanently in application or should I give this as a configuration option to the user? I am asking this as my client application may require to communicate with old Servers not having this fix. I understand that the vulnerability will remain if both the client and server are not having the fix and they are using SSL V3. Still i want to understand the risk before updating my application so that nothing breaks with my application while fixing this vulnerability. I appreciate your continuous support to OpenSSL community. Regards, Aditya > >
