curl-library
Re: SSLv3 fallback attack POODLE
Date: Fri, 17 Oct 2014 12:08:59 +0200
On Friday 17 October 2014 06:56:48 Florian Weimer wrote:
> On 10/15/2014 08:58 AM, Ray Satiro wrote:
> > I read today of a new method to decrypt SSL called POODLE. If you
> > haven't read of it you should. It works by using SSL fallback behavior
> > to get SSLv3 which can now be decrypted [1][2].
>
> The OpenSSL change is unnecessary because the OpenSSL code does not
> actually fall back to SSL 3.0.
>
> The only TLS backend which implements insecure fallback to SSL 3.0 is
> NSS. Perhaps that fallback code can be removed completely?
I am all for removing the fallback code in upstream and Fedora but would
be careful with RHEL. There is an ongoing discussion in RHBZ:
https://bugzilla.redhat.com/CVE-2014-3566
Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-10-17