OpenSSL will do "automatic protocols negotiation" and I don't need to also use
TLS_FALLBACK_SCSV.
Did I get it this time?
Geoff
>
> From: Bodo Moeller
>To: "openssl-users@openssl.org"
>Sent: Friday, October 17, 2014 4:03 AM
&
Salz, Rich :
Disabling ssl3 is a good thing. But set the fallback because silently
> dropping from tls 1.2 to tls 1.1 is bad.
>
All this assumes that your client application *does* explicitly fall back
from TLS 1.2 to TLS 1.1, instead of just relying on automatic protocol
version negotiation. If
On 10/16/2014 10:42 PM, Nou Dadoun wrote:
A few short (simple) questions about the use of TLS_FALLBACK_SCSV since
we’re currently upgrading to the latest openssl releases.
We don’t establish sessions with any other products than our own clients
and servers.
We’ve already disabled the use of SSL
On 10/17/2014 01:24 AM, Salz, Rich wrote:
It does not matter who you talk to. With a POODLE attack, your content
can be decrypted. Cookies, etc., were just used as an example.
If OpenSSL talks to OpenSSL, and both ends have been set up with the
SSLv23_method, and SSL_CTX_set_options has not
controlled scenario, I don’t think we’re vulnerable to
a POODLE attack unless there’s something I’m missing … N
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Salz, Rich
Sent: October-16-14 4:24 PM
To: openssl-users@openssl.org
Subject: RE: Use of
It does not matter who you talk to. With a POODLE attack, your content can be
decrypted. Cookies, etc., were just used as an example.
Disabling ssl3 is a good thing. But set the fallback because silently dropping
from tls 1.2 to tls 1.1 is bad. It’s done during the handshake process as part
On Thu, Oct 16, 2014 at 4:42 PM, Nou Dadoun wrote:
> ...
> We’ve already disabled the use of SSLv3 in both our client and server
> releases going forward, is there any advantage in also using
> TLS_FALLBACK_SCSV – i.e. will there be any benefit in connecting to our
> already deployed clients and s