AnsweredAssumed Answered

TLS_FALLBACK_SCV, even without SSL3, necessary for A+ rating?

Question asked by Bob Beck on Dec 10, 2014
Latest reply on Dec 11, 2014 by Mark Napier

Hi gang, we are getting questions from users about TLS_FALLBACK_SCV - While I certainly understand the need for it if you have to continue to try to support SSL 3.0, in the cases where the server or even the library doesn't support it - and doesn't support SSL 3.0 this seems a bit backwards.


As this is not even yet a standardized option in the protocol, requiring this preliminary hack to be there when not supporting SSL 3.0 seems a backwards.  I might argue

that having this there is even risky when you do not need it.


Could I ask the merit of this decision for your rating - I understand completely in the presensence of SSL 3.0, but to me this doesn't make sense otherwise, as this option

is hardly yet standardized and is probably at this stage a bit of a "quick hack" to get around needing to continue to support a broken (SSL 3.0) protocol.