I have patched my server with OpenSSL 1.0.1j for the Poodle vulnerability. Been reading the spec on TLS_FALLBACK_SCSV. From what I can tell in order for TLS fallback prevention to work properly it requires the client to announce it in the client hello, and if not, even if the server supports fallback, it will not be used. What is the expected behavior if only one side, say the server side, only supports it?
Aucun commentaire:
Enregistrer un commentaire