Comment 23 for bug 1381365

Just as a follow-up on TLS downgrade attacks, note that for example CVE-2014-3511 describes a flaw in the SSL/TLS server implementation in OpenSSL 1.0.1 versions prior to 1.0.1i where severely fragmenting the ClientHello message enables a man-in-the-middle attacker to downgrade the client and server to TLS 1.0 regardless of whether they both support TLS 1.1 and later. Even that flaw did _not_ make it possible to downgrade a handshake to SSL v3. In the current literature you really need a fallback mechanism outside the TLS handshake's version negotiation to exploit SSL v3, akin to what Web browsers implement (or you need to somehow convince someone to use a client/server which lack TLS support entirely).