So, let's get this clarified with test results.
I've tested Firefox 34 beta 1.
Because bug 1076983 hasn't landed on the beta branch yet, the current
Firefox 34 beta 1 still has SSL3 enabled.
With this current default configuration (SSL3 enabled), Firefox will
fall back to SSL3.
Then I used about:config and changed security.tls.version.min to 1
(which means TLSv1, thereby disabling SSL3).
With SSL3 disabled, Firefox 34 no longer falls back to SSL3.
When attempting to connect to a SSL3-only server, I see Firefox 34
attempting three connections, with TLS 1.2 {3,3}, TLS 1.1 {3,2} and TLS
1.0 {3,1}, but not SSL3.
In other words, with SSL3 disabled, Firefox 34 doesn't attempt a
fallback to use SSL3.
With these new results, it's no longer clear to me what Florian was
referring to.
On Thu, 2014-10-16 at 20:27 +0200, Florian Weimer wrote:
> Why is disabling SSL 3.0 acceptable, but getting rid of the broken
> fallback which will keep endangering users for a long time to come is
> not?
Florian, did you assume that Firefox would still fall back to SSl3?
That's not happening.
With SSL3 disabled, the intention, as I understand it, is to disable
SSL3 completely, not even using it when falling back.
On the other hand, Firefox will continue to fall back to non-disabled
versions of TLS (such as TLS 1.1 and TLS 1.0).
Is this what you're worried about?
Kai
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
