Like everyone else we are dealing with Poodle -- disabling SSL version 3. I was looking at RFC5246. It seems to suggest that TLS 1.2 is backwards compatible with previous versions of TLS 1.0 and 1.1. If I disable SSL 3.0 on my servers and enable TLS 1.2, will older client browsers that only support TLS 1.0 and 1.1 be able to connect to the server?
RFC5246 seems to suggest this, but I wasn't sure how this worked in the real world.
Appendix E. Backward Compatibility p.87
- E.1. Compatibility with TLS 1.0/1.1 and SSL 3.
"...A TLS server can also receive a ClientHello containing a version
number smaller than the highest supported version. If the server
wishes to negotiate with old clients, it will proceed as appropriate
for the highest version supported by the server that is not greater
than ClientHello.client_version. For example, if the server supports
TLS 1.0, 1.1, and 1.2, and client_version is TLS 1.0, the server will
proceed with a TLS 1.0 ServerHello. If server supports (or is
willing to use) only versions greater than client_version, it MUST
send a "protocol_version" alert message and close the connection."