Ray wrote:

> What about enabling this by default when it's available, something
> like if(!conn->data->set.ssl_disable_scsv)
> SSL_CTX_set_mode(connssl->ctx, SSL_MODE_SEND_FALLBACK_SCSV), and
> something could be put in CURLOPT_SSL_OPTIONS to allow the user disable
> it like was done for BEAST, like CURLSSLOPT_ALLOW_DOWNGRADE_ATTACK would
> set ssl_disable_scsv true.

My understanding is that SSL_MODE_SEND_FALLBACK_SCSV should be set if and
only if the TLS/SSL session being established is itself an attempt to
establish a connection with a fallback TLS/SSL version following a previous
handshake failure. It should not be set by default.

Does libcurl currently attempt any fallback itself? If it just uses
OpenSSL's own SSLv23_method, then I don't think there's an issue. In that
case, I don't think it is possible for a man in the middle to force a
fallback to SSL3. I'm sure someone will correct me if that's incorrect.

Mark

-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-10-15