https://issues.apache.org/bugzilla/show_bug.cgi?id=57464
Konstantin Kolinko <knst.koli...@gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO --- Comment #2 from Konstantin Kolinko <knst.koli...@gmail.com> --- As far as I am reading this, the check for presence of TLS_FALLBACK_SCSV cipher in cipher list provided by client should happen during protocol & cipher negotiation in TLS/SSL library. That happens outside of Tomcat control. If the feature is implemented in the underlying libraries (Java JSSE, OpenSSL) then I think it will be available automatically, if they would have it "on" by default. At most Tomcat could provide options to control turning the feature off/on, if such options are provided by the underlying libraries. Looking at OpenSSL changelog, this feature is available since 1.0.1j. As far as I understand, it is "on" by default, and I have not heard of a way to turn it off. The following blog post says how to test it: https://dwradcliffe.com/2014/10/16/testing-tls-fallback.html To clarify: TLS_FALLBACK_SCSV is a generic mechanism to protect from protocol downgrades. For example it can protect from a TLS 1.2 -> TLS 1.1 downgrade caused a MITM / unreliable network. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org