On Thu, Jan 29, 2015 at 07:28:45PM +0000, Salz, Rich wrote: > You are misunderstanding him. > > The version you have is patched. The "poodle detection" script you are using > is buggy.
Just to clarify, poodle is something that can not be fixed in SSLv3. If you allow SSLv3 you are affected by poodle. The only way to really fix the poodle problem is by not allowing SSLv3. The patch in the various branches does not fix the poodle problem, it just tries to prevent it. It adds a way to detect a downgrade attack. The most likely way poolde would be exploited is by doing a downgrade attack from TLS to SSLv3. There is a mitigation added in case of a fallback from a higher to a lower SSL/TLS version by the client. If both sides support this mitigation you can detect a downgrade attack and prevent the poodle attack. If the client does not support this mitigation you're still vulnerable. Just disable SSLv3. Kurt _______________________________________________ openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
