Closed prototypo closed 9 years ago
IE10 has TLSv1.1 and TLSv1.2 disabled by default. https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers
Sure, but so what? This is a server-side issue not just a browser one.
POODLE is exploited by tricking servers into downgrading their SSL or TLS to a vulnerable version through compatibility checking.
If we disallow TLSv1, we will be excluding IE10 and below.
This is the test to pass: https://www.ssllabs.com/ssltest/index.html
Removing SSL v3 support is sufficient to close this issue.
Callimachus' SSL implementation is currently vulnerable to the SSL v3, TLS v1 POODLE vulnerability: https://www.openssl.org/~bodo/ssl-poodle.pdf
Close the vulnerability by disallowing SSL v3 and TLS v1 protocols entirely (even as downgraded options). Preferably, TLS 1.2 should be used.