Hi gang, we are getting questions from users about TLS_FALLBACK_SCV - While I certainly understand the need for it if you have to continue to try to support SSL 3.0, in the cases where the server or even the library doesn't support it - and doesn't support SSL 3.0 this seems a bit backwards.
As this is not even yet a standardized option in the protocol, requiring this preliminary hack to be there when not supporting SSL 3.0 seems a backwards. I might argue
that having this there is even risky when you do not need it.
Could I ask the merit of this decision for your rating - I understand completely in the presensence of SSL 3.0, but to me this doesn't make sense otherwise, as this option
is hardly yet standardized and is probably at this stage a bit of a "quick hack" to get around needing to continue to support a broken (SSL 3.0) protocol.