cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: SSLv3 fallback attack POODLE

From: Florian Weimer <fweimer_at_redhat.com>
Date: Fri, 17 Oct 2014 16:31:20 +0200

On 10/16/2014 10:53 AM, Daniel Stenberg wrote:
>> If it's really possible in all SSL backends to disable negotiation
>> down to SSLv3 while still allowing it if explicitly requested (with
>> --sslv3) then I'm fine with that.
>
> Me too.

Do you consider the fallback logic in the NSS code a security
vulnerability? Then it might make sense to release its removal as a
separate security fix, and not include the SSL 3.0 removal, to minimize
the compatibility impact.

If you want to treat the NSS fallback code as a security vulnerability,
I will get the ball rolling on CVE assignment.

-- 
Florian Weimer / Red Hat Product Security
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette:  http://curl.haxx.se/mail/etiquette.html

Received on 2014-10-17

This message: [ Message body ]
Next message: Daniel Stenberg: "Re: SSLv3 fallback attack POODLE"
Previous message: Kamil Dudka: "Re: SSLv3 fallback attack POODLE"
In reply to: Daniel Stenberg: "Re: SSLv3 fallback attack POODLE"
Next in thread: Daniel Stenberg: "Re: SSLv3 fallback attack POODLE"
Reply: Daniel Stenberg: "Re: SSLv3 fallback attack POODLE"

Contemporary messages sorted: [ by date ] [ by thread ] [ by subject ] [ by author ] [ by messages with attachments ]