So, let's get this clarified with test results. I've tested Firefox 34 beta 1.
Because bug 1076983 hasn't landed on the beta branch yet, the current Firefox 34 beta 1 still has SSL3 enabled. With this current default configuration (SSL3 enabled), Firefox will fall back to SSL3. Then I used about:config and changed security.tls.version.min to 1 (which means TLSv1, thereby disabling SSL3). With SSL3 disabled, Firefox 34 no longer falls back to SSL3. When attempting to connect to a SSL3-only server, I see Firefox 34 attempting three connections, with TLS 1.2 {3,3}, TLS 1.1 {3,2} and TLS 1.0 {3,1}, but not SSL3. In other words, with SSL3 disabled, Firefox 34 doesn't attempt a fallback to use SSL3. With these new results, it's no longer clear to me what Florian was referring to. On Thu, 2014-10-16 at 20:27 +0200, Florian Weimer wrote: > Why is disabling SSL 3.0 acceptable, but getting rid of the broken > fallback which will keep endangering users for a long time to come is > not? Florian, did you assume that Firefox would still fall back to SSl3? That's not happening. With SSL3 disabled, the intention, as I understand it, is to disable SSL3 completely, not even using it when falling back. On the other hand, Firefox will continue to fall back to non-disabled versions of TLS (such as TLS 1.1 and TLS 1.0). Is this what you're worried about? Kai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto