Kai,
What is the purpose of Firefox continuing to do any fallback at all ?
IMO, making a second connection with any lower version of SSL/TLS
defeats the intent of the SSL/TLS protocol, which have built-in defenses
against protocol version downgrade.
Isn't it time this fallback gets eliminated at last ?
Julien
On 10/20/2014 16:40, Kai Engert wrote:
On Thu, 2014-10-16 at 20:51 +0200, Kai Engert wrote:
Do you claim that Firefox 34 will continue to fall back to SSL 3 when
necessary?
Yes. If I understand correctly, it seems that Firefox indeed still falls
back to SSL3, even with SSL3 disabled.
I found
https://bugzilla.mozilla.org/show_bug.cgi?id=1083058
which intends to implement a preference to configure the oldest allowed
protocol version to fallback to, with a propose mininum of 1 (TLS1).
Kai
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
