Hi Thomas! > So I would like to poll for opinions from people on this list concerning > this situation. Do you think the default options in the OpenSSL egg > should be "hardened"? Do you think more options should be introduced? Is > compatibility with the rest of the internet a concern at all? ;-)
We run Spiffy with SSL on our live site at https://www.knodium.com/ Our users are typically in educational environments where the provided software is not always of the latest version so we'd like to have as wide support as possible for clients that might visit our site. Having said that, I'm not sure which clients on which operating systems are SSL 3.0 only. In this case we're using OpenSSL on the server side (http-client may differ) and given that we control what we use there, the thing that matters is the population of web browsers that require SSL 3.0 in order to work with HTTPS sites. Have you seen this article by Google about TLS_FALLBACK_SCSV? http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html More info: https://www.openssl.org/~bodo/ssl-poodle.pdf https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00 Again, I'm not sure which clients support that yet, especially amongst the older ones which do support TLS but are still old and therefore might not get updates. This approach doesn't work unless both sides support it. >From the Google article it sounds like it might be worth us implementing TLS_FALLBACK-SCSV and waiting to hear the results of the test in which they disable SSL 3.0. Regards, @ndy -- andy...@ashurst.eu.org http://www.ashurst.eu.org/ 0x7EBA75FF _______________________________________________ Chicken-users mailing list Chicken-users@nongnu.org https://lists.nongnu.org/mailman/listinfo/chicken-users
