cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SSLv3 fallback attack POODLE

From: Florian Weimer <fweimer_at_redhat.com>
Date: Fri, 17 Oct 2014 16:31:20 +0200

On 10/16/2014 10:53 AM, Daniel Stenberg wrote:
>> If it's really possible in all SSL backends to disable negotiation
>> down to SSLv3 while still allowing it if explicitly requested (with
>> --sslv3) then I'm fine with that.
>
> Me too.

Do you consider the fallback logic in the NSS code a security
vulnerability? Then it might make sense to release its removal as a
separate security fix, and not include the SSL 3.0 removal, to minimize
the compatibility impact.

If you want to treat the NSS fallback code as a security vulnerability,
I will get the ball rolling on CVE assignment.

-- 
Florian Weimer / Red Hat Product Security
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html
Received on 2014-10-17