Jeff Darcy <jdarcy@xxxxxxxxxx> wrote: > As I'm sure you know, security often involves multiple layers. At the > time, the OpenSSL method table we used was still one that would allow > fallback to SSLv3. You refer to using ssl23_client_method()? That function's name is really bad because it is the only one that allows negociation of the highest protocol available, as opposed to TLSv1_client_method() which is not able to use TLSv1.2, for instance. Hence ssl23_client_method() is indeed the way to go, and you are right it also allows downgrading down to SSLv2 or SSLv3, which is brings POODLE vulnerability. But SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 options for SSL_CTX_set_options() are there to make sure it does cannot happen. At least this is how it is fixed in all software I have been looking at. -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz manu@xxxxxxxxxx _______________________________________________ Gluster-devel mailing list Gluster-devel@xxxxxxxxxxx http://www.gluster.org/mailman/listinfo/gluster-devel
