Il 17/10/2014 11:05, Florian Weimer ha scritto:
Do you downgrade the support protocols on handshake failures, like web
browsers do?
Not explicitely. I think it's my fault at understanding the issue -- I
somehow that that could be the case when using
SSL_CTX_new(SSLv23_client_method())
whi
> > SSL_set_mode(ssl, SSL_MODE_SEND_FALLBACK_SCSV)
>
> You might care about fallback from TLS 1.2 (which has PFS) to TLS 1.1 (which
> doesn't).
>
> I recommend that you always set that flag.
Two clarifications: TLS 1.2 (with AEAD) to TLS 1.1 (doesn't). Or TLS 1.1 (PFS)
to TLS 1.0.
And by a
On 10/17/2014 10:10 AM, Giuseppe D'Angelo wrote:
Yep, and the problem is that I control the application, not which
OpenSSL version is installed. Therefore I wanted to future-proof my
application, so when OpenSSL gets upgraded to a version which supports
SSL_MODE_SEND_FALLBACK_SCSV, everything wil
Il 17/10/2014 01:11, Salz, Rich ha scritto:
That will not work. You can do this:
#ifdef SSL_MODE_SEND_FALLBACK_SCSV
SSL_CTX_set_mode(ctx, SSL_MODE_SEND_FALLBACK_SCSV)
#endif
But that is not the same thing.
You cannot just slip SCSV into an application without code changes to the
applic
> #ifndef SSL_MODE_SEND_FALLBACK_SCSV
> #define SSL_MODE_SEND_FALLBACK_SCSV 0x0080L
> #endif
That will not work. You can do this:
#ifdef SSL_MODE_SEND_FALLBACK_SCSV
SSL_CTX_set_mode(ctx, SSL_MODE_SEND_FALLBACK_SCSV)
#endif
But that is not the same thing.
You cannot just slip SCSV int
Hi,
Il 16/10/2014 00:01, Salz, Rich ha scritto:
I recommend that you always set that flag.
Do I need to detect which OpenSSL version I have before setting that
flag (otherwise it would break the application) or can I always safely
set it on a SSL context?
In other words: I'd like to do som
> If the context options are set to remove SSLv3:
> Then is the following needed from [0]:
>
> SSL_set_mode(ssl, SSL_MODE_SEND_FALLBACK_SCSV)
You might care about fallback from TLS 1.2 (which has PFS) to TLS 1.1 (which
doesn't).
I recommend that you always set that flag.
--
Principal Sec
