Aditya Kumar
2014-10-20 10:50:47 UTC
Hi All,
I have a question regarding SSL_MODE_SEND_FALLBACK_SCSV introduced in
OpenSSL 0.9.8zc as part of a preventive measure for SSL 3.0 POODLE
vulnerability.
I have client and server applications using OpenSSL for SSL/TLS
communication. My question is that what will happen if I update my client
applications with this OpenSSL patch( and also set
SSL_MODE_SEND_FALLBACK_SCSV) and the Server Applications are NOT updated
with the patch? The questions are:
1. Will this updated client set with TLS_FALLBACK will be able to work with
un-updated Server(server using older version of OpenSSL where this FALLBACK
mode is not set)?
2. Is it a good idea to hard code this option permanently in application or
should I give this as a configuration option to the user? I am asking this
as my client application may require to communicate with old Servers not
having this fix.
I understand that the vulnerability will remain if both the client and
server are not having the fix and they are using SSL V3. Still i want to
understand the risk before updating my application so that nothing breaks
with my application while fixing this vulnerability.
I appreciate your continuous support to OpenSSL community.
Regards,
Aditya
I have a question regarding SSL_MODE_SEND_FALLBACK_SCSV introduced in
OpenSSL 0.9.8zc as part of a preventive measure for SSL 3.0 POODLE
vulnerability.
I have client and server applications using OpenSSL for SSL/TLS
communication. My question is that what will happen if I update my client
applications with this OpenSSL patch( and also set
SSL_MODE_SEND_FALLBACK_SCSV) and the Server Applications are NOT updated
with the patch? The questions are:
1. Will this updated client set with TLS_FALLBACK will be able to work with
un-updated Server(server using older version of OpenSSL where this FALLBACK
mode is not set)?
2. Is it a good idea to hard code this option permanently in application or
should I give this as a configuration option to the user? I am asking this
as my client application may require to communicate with old Servers not
having this fix.
I understand that the vulnerability will remain if both the client and
server are not having the fix and they are using SSL V3. Still i want to
understand the risk before updating my application so that nothing breaks
with my application while fixing this vulnerability.
I appreciate your continuous support to OpenSSL community.
Regards,
Aditya