A few short (simple) questions about the use of TLS_FALLBACK_SCSV since we’re currently upgrading to the latest openssl releases.
We don’t establish sessions with any other products than our own clients and servers. We’ve already disabled the use of SSLv3 in both our client and server releases going forward, is there any advantage in also using TLS_FALLBACK_SCSV – i.e. will there be any benefit in connecting to our already deployed clients and servers? (I actually don’t think that we’re vulnerable to POODLE since we don’t use anything like encrypted cookies or repeated messages that could be used to exploit padding changes to “peel off” decoded chunks. Is there any other mechanism to exploit this would make us vulnerable?) Where in the session establishment is TLS_FALLBACK_SCSV used and how would we incorporate it? I think a lot of folks will probably have these or similar questions, is there a FAQ somewhere to address this? Thanks in advance … N
