On 24/10/14 21:28, Richard Könning wrote: > SSLv3 alone is vulnerable. When you decide that this vulnerability is so > large that you don't want to use SSLv3 in any case than life is easy: > deactivate the usage of SSLv3 in all clients and servers and you have > not to think about fall back to SSLv3. > > But when your opinion is, that an SSLv3 connection is better than no > connection than you may have to fall back to SSLv3 some times. The > TLS_FALLBACK_SCSV helps you to ensure that the fall back is done only > when SSLv3 is really the highest SSL/TLS protocol shared by client and > server.
TLS_FALLBACK_SCSV helps to prevent an attacker from forcing a fallback to other versions as well, e.g. both server and client might both support TLSv1.1, but an attacker could force a fallback to TLSv1.0. At the moment this isn't too much of a problem...but who knows what future vulnerabilities might be discovered in other protocol vesions? So you should be considering fallback issues beyond just SSLv3. Matt ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
