AnsweredAssumed Answered

Poodle - TLS 1.2 Compatibility

Question asked by Beth Stover on Oct 28, 2014
Latest reply on Oct 29, 2014 by Ivan Ristić

Like everyone else we are dealing with Poodle -- disabling SSL version 3.  I was looking at RFC5246.  It seems to suggest that TLS 1.2 is backwards compatible with previous versions of TLS 1.0 and 1.1.  If I disable SSL 3.0 on my servers and enable TLS 1.2, will older client browsers that only support TLS 1.0 and 1.1 be able to connect to the server?

 

RFC5246 seems to suggest this, but I wasn't sure how this worked in the real world.

 

RFC 5246 - The Transport Layer Security (TLS) Protocol Version 1.2


Appendix E.  Backward Compatibility p.87

 

  1. E.1.  Compatibility with TLS 1.0/1.1 and SSL 3.

"...A TLS server can also receive a ClientHello containing a version

number smaller than the highest supported version.  If the server

wishes to negotiate with old clients, it will proceed as appropriate

for the highest version supported by the server that is not greater

than ClientHello.client_version.  For example, if the server supports

TLS 1.0, 1.1, and 1.2, and client_version is TLS 1.0, the server will

proceed with a TLS 1.0 ServerHello.  If server supports (or is

willing to use) only versions greater than client_version, it MUST

send a "protocol_version" alert message and close the connection."

 

Any comments?

 

Thanks!

 

B.

Outcomes