cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SSLv3 fallback attack POODLE

From: Kamil Dudka <kdudka_at_redhat.com>
Date: Fri, 17 Oct 2014 12:08:59 +0200

On Friday 17 October 2014 06:56:48 Florian Weimer wrote:
> On 10/15/2014 08:58 AM, Ray Satiro wrote:
> > I read today of a new method to decrypt SSL called POODLE. If you
> > haven't read of it you should. It works by using SSL fallback behavior
> > to get SSLv3 which can now be decrypted [1][2].
>
> The OpenSSL change is unnecessary because the OpenSSL code does not
> actually fall back to SSL 3.0.
>
> The only TLS backend which implements insecure fallback to SSL 3.0 is
> NSS. Perhaps that fallback code can be removed completely?

I am all for removing the fallback code in upstream and Fedora but would
be careful with RHEL. There is an ongoing discussion in RHBZ:

https://bugzilla.redhat.com/CVE-2014-3566

Kamil
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2014-10-17

This message: [ Message body ]
Next message: Florian Weimer: "Re: SSLv3 fallback attack POODLE"
Previous message: Florian Weimer: "Re: SSLv3 fallback attack POODLE"
In reply to: Florian Weimer: "Re: SSLv3 fallback attack POODLE"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]