This is the first time I've seen this point of view expressed but it does make evident sense - after all, the whole idea of falling back is to find a mutually acceptable version. However it conflicts with some of the previous advice I've seen on the list which recommended that SSL_MODE_SEND_FALLBACK_SCSV *always* be set to prevent downgrade from v1.1 to v1.2 for example. Any consensus? ... N
-----Original Message----- ... Unconditionally setting SSL_MODE_SEND_FALLBACK_SCSV (if by default or after user configuration) is a time bomb-your client application will break once the server implements TLS 1.3 (or any newer TLS version than what is supported by the OpenSSL version you use). Extremely few applications have to deal with SSL_MODE_SEND_FALLBACK_SCSV. -- Florian Weimer / Red Hat Product Security ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
