TLS_FALLBACK_SCSV

mex nginx-forum at nginx.us
Fri Oct 17 15:29:00 UTC 2014


> Regarding POODLEbleed[1] issue, I've disable SSLv3 on `ssl_protocols`

thats the most important part


> directive. But, ssllabs.com says that :
> 
> ---- snip ----
> Downgrade attack prevention 	No, TLS_FALLBACK_SCSV not supported (more
> info[2])

TLS_FALLBACK_SCSV also prevents downgrades from TLSv1.2 -> TLSv1.1 -> TLSv1

and has got nothing to do with SSLv3


> With configuration:
> ---- snip ----
> SSLHonorCipherOrder On
> SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

isnt this the apacheconfig?


> 
> So the question is, how important it is?
> 

it is not yet important, but downgrade-attacks might happen
again.

do you have nginx with a different openssl-library installed, e.g.
statically linked

please paste the full output from

$ nginx -V

Posted at Nginx Forum: http://forum.nginx.org/read.php?2,254106,254109#msg-254109



More information about the nginx mailing list