Ángel González writes:
Sam Varshavchik writes: > Jakob Bohm writes: > > For clients (see above), there are API (not just ABI) changes, > > requiring SSL/TLS client codes to pass extra options to get the > > TLS_FALLBACK_SCSV protection feature. At least that is how it was > > in the original patch posted to the openssl mailing lists. >> I do not see why an extra option is needed. It should be enabled by default,> and maybe have an extra option to turn it off.SSL/TLS has a protocol version negotiation. If the client wants to perform a version downgrade based on OOB data (such as a network error), then it's his duty to do tag downgrades as such.
I thought about writing up a detailed explanation of why I think this is wrong, but I caught myself – it would be a waste of time, and won't accomplish anything useful.
Let's just wait to see how GnuTLS handles this. As I said before, I expect GnuTLS to have the TLS_FALLBACK_SCSV protection enabled in their API by default, with the client applications having an additional option to turn it off, so all existing GnuTLS applications will get the benefit of TLS_FALLBACK_SCSV by default.
Meanwhile, all OpenSSL clients will have to do a code change, in order to enable it.
Just like GnuTLS appears to have the elliptic curve ciphers enabled by default, and OpenSSL requiring a silly option (actually, two alternative silly versions, depending on the OpenSSL version) to enable them.
pgpCjS3TluLLe.pgp
Description: PGP signature
------------------------------------------------------------------------------ Comprehensive Server Monitoring with Site24x7. Monitor 10 servers for $9/Month. Get alerted through email, SMS, voice calls or mobile push notifications. Take corrective actions from your mobile device. http://p.sf.net/sfu/Zoho
_______________________________________________ Courier-imap mailing list Courier-imap@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-imap
