Re: [Chicken-users] OpenSSL egg option defaults poll

[Andy Bennett]

Hi Thomas!

> So I would like to poll for opinions from people on this list concerning
> this situation. Do you think the default options in the OpenSSL egg
> should be "hardened"? Do you think more options should be introduced? Is
> compatibility with the rest of the internet a concern at all? ;-)

We run Spiffy with SSL on our live site at https://www.knodium.com/

Our users are typically in educational environments where the provided
software is not always of the latest version so we'd like to have as
wide support as possible for clients that might visit our site.

Having said that, I'm not sure which clients on which operating systems
are SSL 3.0 only. In this case we're using OpenSSL on the server side
(http-client may differ) and given that we control what we use there,
the thing that matters is the population of web browsers that require
SSL 3.0 in order to work with HTTPS sites.


Have you seen this article by Google about TLS_FALLBACK_SCSV?

http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html


More info:

https://www.openssl.org/~bodo/ssl-poodle.pdf

https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00



Again, I'm not sure which clients support that yet, especially amongst
the older ones which do support TLS but are still old and therefore
might not get updates. This approach doesn't work unless both sides
support it.


>From the Google article it sounds like it might be worth us implementing
TLS_FALLBACK-SCSV and waiting to hear the results of the test in which
they disable SSL 3.0.







Regards,
@ndy

-- 
address@hidden
http://www.ashurst.eu.org/
0x7EBA75FF