On 10/17/2014 10:10 AM, Giuseppe D'Angelo wrote:
Yep, and the problem is that I control the application, not which
OpenSSL version is installed. Therefore I wanted to future-proof my
application, so when OpenSSL gets upgraded to a version which supports
SSL_MODE_SEND_FALLBACK_SCSV, everything will work *without* also
recompiling the application.
Thus: the manual #define and the call in all cases. I'm fine if it's a
no-op if OpenSSL doesn't support SSL_MODE_SEND_FALLBACK_SCSV, the
important thing is that it doesn't break anything...
Do you downgrade the support protocols on handshake failures, like web
browsers do?
If not, then you cannot use SSL_MODE_SEND_FALLBACK_SCSV in any way, and
you do not need it, either.
--
Florian Weimer / Red Hat Product Security
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org