TLS protocol levels, POODLE, and TN2287
TLS protocol levels, POODLE, and TN2287
- Subject: TLS protocol levels, POODLE, and TN2287
- From: Jens Alfke <email@hidden>
- Date: Wed, 15 Oct 2014 13:50:29 -0700
To work around the POODLE security vulnerability[1], I'm going into the part of my code that opens SSL/TLS connections via CFStream and disabling SSLv3. (I know POODLE is a bigger problem for servers than clients, but better safe than sorry.)
Once there, I noticed that a few years ago I'd already added some code to limit SSL protocols, as per technote TN2287[2]. In this case I'd limited it to a _maximum_ protocol level of TLS 1.0, because the technote says "Some non-compliant TLS server implementations do not implement TLS 1.2 and, more importantly, do not downgrade gracefully to a supported protocol version."
As I update this code I'm wondering whether this is still a problem for any significant number of servers, or whether they've all been fixed in the three years since the technote was written?
If we still need to follow the workaround, it looks like the CFStream API doesn't allow setting a separate min/max protocol level, so I have to choose between accepting only TLS 1.0 or TLS 1.1. Which would be better? I'm going to go with 1.1, just because it's newer.
—Jens
[1] http://arstechnica.com/security/2014/10/ssl-broken-again-in-poodle-attack/
[2] https://developer.apple.com/library/ios/technotes/tn2287/_index.html
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macnetworkprog mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden