Nou Dadoun
2014-10-16 20:42:29 UTC
A few short (simple) questions about the use of TLS_FALLBACK_SCSV since weâre currently upgrading to the latest openssl releases.
We donât establish sessions with any other products than our own clients and servers.
Weâve already disabled the use of SSLv3 in both our client and server releases going forward, is there any advantage in also using TLS_FALLBACK_SCSV â i.e. will there be any benefit in connecting to our already deployed clients and servers?
(I actually donât think that weâre vulnerable to POODLE since we donât use anything like encrypted cookies or repeated messages that could be used to exploit padding changes to âpeel offâ decoded chunks. Is there any other mechanism to exploit this would make us vulnerable?)
Where in the session establishment is TLS_FALLBACK_SCSV used and how would we incorporate it?
I think a lot of folks will probably have these or similar questions, is there a FAQ somewhere to address this?
Thanks in advance ⊠N
We donât establish sessions with any other products than our own clients and servers.
Weâve already disabled the use of SSLv3 in both our client and server releases going forward, is there any advantage in also using TLS_FALLBACK_SCSV â i.e. will there be any benefit in connecting to our already deployed clients and servers?
(I actually donât think that weâre vulnerable to POODLE since we donât use anything like encrypted cookies or repeated messages that could be used to exploit padding changes to âpeel offâ decoded chunks. Is there any other mechanism to exploit this would make us vulnerable?)
Where in the session establishment is TLS_FALLBACK_SCSV used and how would we incorporate it?
I think a lot of folks will probably have these or similar questions, is there a FAQ somewhere to address this?
Thanks in advance ⊠N