Hi Andy, On Dec 17, 2014 4:18 PM, "Andy Bradford" <[email protected]> wrote: > > Thus said Jan Nijtmans on Wed, 17 Dec 2014 23:13:16 +0100: > > > <http://en.wikipedia.org/wiki/POODLE> > > According to this article, disabling SSL 3.0 is only one way of dealing > with the downgrade attack. Another way is for browsers/servers to > implement TLS_FALLBACK_SCSV which will make it impossible.
Make what impossible? Downgrade attacks or sslv3? > However, I > wonder if Fossil's use of SSL is even vulnerable to such an attack in > the first place? Well sslv3 is already dependent on the system openssl version so what attack? > Fossil isn't exactly a browser and doesn't share any > code with a browser (except using an SSL library). But it has some method to serve web pages over SSL to a browser. > Anyone know if it > is even susceptible? It seems that the article focuses mostly on > browsers/servers, but perhaps it is actually the crypto library at > fault? Something worth looking into. But if it's the server, wouldn't that be fossil? > > Andy > -- > TAI64 timestamp: 4000000054921d8a >
_______________________________________________ fossil-dev mailing list [email protected] http://sqlite.org:8080/cgi-bin/mailman/listinfo/fossil-dev
