Thus said jungle Boogie on Wed, 17 Dec 2014 17:41:52 -0800: > Make what impossible? Downgrade attacks or sslv3?
The attack mentioned in the article is a man-in-the-middle attack which is triggered when the client downgrades from TLS to SSL ciphers. I'm a little fuzzy on how this is actually a man-in-the-middle attack... > Well sslv3 is already dependent on the system openssl version so what > attack? It is, but will the client (which where it has been proposed that changes be made with the new setting in Fossil) actually downgrade? Is that an automatic feature of using OpenSSL that Fossil inherits? > But it has some method to serve web pages over SSL to a browser. No, actually, it doesn't. It relies on a webserver to serve content over SSL (e.g. combined with fossil cgi). It has an SSL client though. Web server operators can certainly disable whatever cipher suites they see fit, however, I don't know if this is sufficient. If the SSL ciphers are restricted on the server, will that prevent the downgrade attack? I'm not certain because the POODLE article mentioned it as a man-in-the-middle attack, in which case changing the server may only be part of the problem. > Something worth looking into. But if it's the server, wouldn't that be > fossil? Again, no, because Fossil does not have a server that uses SSL. It has client side only SSL (unless I'm completely mistaken). Andy -- TAI64 timestamp: 4000000054923331 _______________________________________________ fossil-dev mailing list [email protected] http://sqlite.org:8080/cgi-bin/mailman/listinfo/fossil-dev
