On 19/08/2015 00:26, Salz, Rich wrote: > There are *no* secure SSLv3 ciphers. If you need to support it (for legacy clients), then best you can do is use the "poodle patch," the SCSV indicator which will at least prevents clients that are capable of more from being downgraded. What about 3DES with appropriate IV, downgrade and replay countermeasures, what exactly is wrong with those ciphers that is beyond salvage?(By salvage I mean significantly better than plain text when talking to clients that don't support anything more modern, such as certain Microsoft systems). Specifically: If the SSL library aborts session on first bad decryption, the adversary gets only one use of the padding oracle per key. Shouldn't this kill off those attacks. With 1/n-1 or 0/n splitting, the predictable IV issue should be reasonably mitigated.(Hence the prior discussion of the need to not disable thatvia SSL_OP_ALL). With export-RSA and export-DH properly disabled, attempts to downgrade to 40/56 bit symmetric keys should be detected, or is there a bug in the way strong RSA/DSA keys are used to authenticate the negotiation that would allow a downgradeto downgrade its own check? With SCSV handling enabled, shouldn't that prevent downgrade-via-browser-retry attacks (Poodle)? Except of cause with browsers that lack the feature. Which attack scenario did I forget? Of cause it is more safe to insist that everybody else uses only TLS 1.2 with ECDH, AES and SHA-2, but I think that wold rule out too many clients in practice. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. http://www.wisemo.com Transformervej 29, 2860 S?borg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded
