AnsweredAssumed Answered

SSLv3.0 disabled. Is there any benefit of supporting TLS_FALLBACK_SCSV?

Question asked by j-mailor on Oct 21, 2014
Latest reply on Nov 18, 2014 by Ivan Ristić


on my http server configured for specific use, I only have TLS v1.2 enabled.

But in Protocol Details I see Downgrade attack prevention  No, TLS_FALLBACK_SCSV not supported in orange color.


If I understand correctly, this server is not vulnerable to POODLE attack, because SSL v3.0 protocol is disabled. Currently I am using OpenSSL 1.0.1h version on Apache 2.4.x. Is there any point in my case to migrate to newer OpenSSL 1.0.1j library, to get this TLS_FALLBACK_SCSV support in way of security? Probably not, is it?