Am Donnerstag, 16. Oktober 2014, 22:01:35 schrieb Ángel González: > Ángel González wrote: > > First of all, note that wget doesn't react to a disconnect with a > > downgraded retry thus > > it is mainly not vulnerable to poodle (you could only use > > CVE-2014-3566 against servers > > not supporting TLS). > > Note I tested both openssl and gnutls builds. Then I rebuilt 1.15¹ with > both libraries using > versions prior to poodle announcement. None of them was affected. > > > ¹ I am having some problem with src/Makefile generation, so I didn't > test with master, but that > should be equivalent.
Hi Ángel, thanks for your testing. I would like to reproduce it - can you tell me what you did exactly ? The original paper talks about 'client renegotiation dance'. What about renegotiation at protocol level ? Isn't it possible that a TLS connection goes down to SSLv3 intransparent to the client/server code ? I am not that deep into the TLS/SSL libraries to answer that question myself right now. The paper talks about 'proper protocol version negotiation' - that seems to need some clarification. Tim