curl-library
Re: SSLv3 fallback attack POODLE
Date: Fri, 24 Oct 2014 12:54:23 +0200
On Friday 17 October 2014 16:40:46 Daniel Stenberg wrote:
> On Fri, 17 Oct 2014, Florian Weimer wrote:
> > Do you consider the fallback logic in the NSS code a security
> > vulnerability? Then it might make sense to release its removal as a
> > separate security fix, and not include the SSL 3.0 removal, to minimize
> > the compatibility impact.
> I don't. The POODLE attack doesn't work on anything that uses libcurl from
> what I've seen[1], so all our talk and discussions about disabling SSLv3 and
> removing the fallback logic in NSS are only extra precautions because they
> are involved in the POODLE attack and thus indicate areas that involve
> problems and weak security.
>
> [1] = http://daniel.haxx.se/blog/2014/10/17/curl-is-no-poodle/
Is the plan to disable SSL 3.0 by default still valid?
Are we going to make the change before the upcoming release?
Should I unimplement the fallback to SSL 3.0 in the NSS backend now, or wait
till Ray's patch appears upstream?
Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-10-24