not been used to disable all
TLS versions, then SSL 3.0 will never be negotiated, and attacks on SSL
3.0 are a non-issue. Even if you do not use TLS_FALLBACK_SCSV at all,
or OpenSSL versions which do not support it.
So it does matter who you talk to.
--
Florian Weimer / Red Hat Product Security
On 10/16/2014 10:42 PM, Nou Dadoun wrote:
A few short (simple) questions about the use of TLS_FALLBACK_SCSV since
we’re currently upgrading to the latest openssl releases.
We don’t establish sessions with any other products than our own clients
and servers.
We’ve already disabled the use
Salz, Rich rs...@akamai.com:
Disabling ssl3 is a good thing. But set the fallback because silently
dropping from tls 1.2 to tls 1.1 is bad.
All this assumes that your client application *does* explicitly fall back
from TLS 1.2 to TLS 1.1, instead of just relying on automatic protocol
version
Thank you, Bodo.
This is a crucial point that was not clear to me when I was investigating the
use of TLS_FALLBACK_SCSV the first time.
If my application uses SSLv23_method() when constructing the SSL context, and
then explicitly disables SSLv2 and SSLv3 using SSL_CTX_set_options
A few short (simple) questions about the use of TLS_FALLBACK_SCSV since we’re
currently upgrading to the latest openssl releases.
We don’t establish sessions with any other products than our own clients and
servers.
We’ve already disabled the use of SSLv3 in both our client and server releases
On Thu, Oct 16, 2014 at 4:42 PM, Nou Dadoun ndad...@teradici.com wrote:
...
We’ve already disabled the use of SSLv3 in both our client and server
releases going forward, is there any advantage in also using
TLS_FALLBACK_SCSV – i.e. will there be any benefit in connecting to our
already
It does not matter who you talk to. With a POODLE attack, your content can be
decrypted. Cookies, etc., were just used as an example.
Disabling ssl3 is a good thing. But set the fallback because silently dropping
from tls 1.2 to tls 1.1 is bad. It’s done during the handshake process as part
controlled scenario, I don’t think we’re vulnerable to
a POODLE attack unless there’s something I’m missing … N
From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org]
On Behalf Of Salz, Rich
Sent: October-16-14 4:24 PM
To: openssl-users@openssl.org
Subject: RE: Use