[openssl-users] SSL error “inappropriate fallback” and TLS_FALLBACK_SCSV

Matt Caswell matt at openssl.org
Thu Jun 1 09:13:48 UTC 2017



On 01/06/17 02:58, Florin Andrei wrote:
> It's a little puzzling because the exchange of crypto messages uses TLS
> 1.0 which the server definitely supports, and the client should be very
> likely to support too.
> 
> I've seen discussions online saying that the presence of the
> TLS_FALLBACK_SCSV cipher suite is an indication that this failed
> connection is related to anti-POODLE security measures, and the
> communication is likely to be retried again. Is that correct?

"Normal" TLS version negotiation works like this (ignoring TLSv1.3 which
isn't relevant for this discussion): the client sends the maximum TLS
version that it supports in its ClientHello message (this should not be
confused with the version number in the record header). The server
responds with a ServerHello containing the maximum version that it
supports and which is less than or equal to the client's maximum version
number.

For example, if the client supports TLSv1.2 but the server only supports
TLSv1.0, then the ClientHello version will be TLSv1.2 and the server
will respond with TLSv1.0. On the other hand if the client only supports
TLSv1.0 but the server supports TLSv1.2, then the ClientHello version
will be TLSv1.0 and the ServerHello version will also be TLSv1.0.

This is all fine but there are some servers out there which are buggy
and abort the connection if the ClientHello version is bigger than the
maximum version that the server supports. To work around this some
clients will do "fallback". So, they start with a ClientHello version of
TLSv1.2. If the connection aborts then they might send another one with
a version of TLSv1.1. If that aborts then TLSv1.0.

The problem with that approach is that it can be exploited by an
attacker. An attacker may be able to exploit some weakness in an earlier
TLS version which is fixed in a later version. The attacker may then be
able to modify the traffic to ensure that a TLSv1.2 ClientHello fails in
order to force the client to fallback to the earlier exploitable version.

The TLS_FALLBACK_SCSV ciphersuite is used as a counter measure to that
type of attack. A client will include it if it is sending a ClientHello
with a max version that is lower than the maximum that the client
actually supports (because an earlier attempt with the higher version
number failed). If a server receives a TLS_FALLBACK_SCSV ciphersuite in
a ClientHello and it supports a higher version than the one in the
ClientHello then there should have been no reason for the client to
fallback and you get the "inappropriate fallback" error.

The presence of this error doesn't actually mean that you are under
attack. It just means that the client made an earlier connection attempt
with a higher version number and it failed. There could be many reasons
for the failure. For example, plausibly, if you have a lot of mobile
clients then you could imagine that a network glitch could cause an
earlier attempt to fail.

Matt





More information about the openssl-users mailing list