When I said "always" I meant "always when you fall back"
I was being too terse and not clear enough. Hope this helps. -- Principal Security Engineer, Akamai Technologies IM: rs...@jabber.me Twitter: RichSalz > -----Original Message----- > From: owner-openssl-us...@openssl.org [mailto:owner-openssl- > us...@openssl.org] On Behalf Of Nou Dadoun > Sent: Monday, October 20, 2014 7:08 PM > To: openssl-users@openssl.org > Subject: RE: SSL_MODE_SEND_FALLBACK_SCSV option > > This is the first time I've seen this point of view expressed but it does make > evident sense - after all, the whole idea of falling back is to find a > mutually > acceptable version. However it conflicts with some of the previous advice > I've seen on the list which recommended that > SSL_MODE_SEND_FALLBACK_SCSV *always* be set to prevent downgrade > from v1.1 to v1.2 for example. Any consensus? ... N > > -----Original Message----- > ... > Unconditionally setting SSL_MODE_SEND_FALLBACK_SCSV (if by default or > after user configuration) is a time bomb-your client application will break > once the server implements TLS 1.3 (or any newer TLS version than what is > supported by the OpenSSL version you use). Extremely few applications > have to deal with SSL_MODE_SEND_FALLBACK_SCSV. > > -- > Florian Weimer / Red Hat Product Security > __________________________________________________________ > ____________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > __________________________________________________________ > ____________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
