[openssl-users] SSL error “inappropriate fallback” and TLS_FALLBACK_SCSV
Florin Andrei
florin at andrei.myip.org
Thu Jun 1 18:37:55 UTC 2017
On 2017-06-01 02:13, Matt Caswell wrote:
>
> The presence of this error doesn't actually mean that you are under
> attack. It just means that the client made an earlier connection
> attempt
> with a higher version number and it failed. There could be many reasons
> for the failure. For example, plausibly, if you have a lot of mobile
> clients then you could imagine that a network glitch could cause an
> earlier attempt to fail.
It's interesting how I see a constant stream of “inappropriate fallback”
errors in the logs, but this is pretty much the only error from a TLS
perspective. Sure, there's the occasional certificate failure, like once
every few minutes or so, and then, rarely, there's some ancient app
trying SSLv3 (which is not enabled). But looking at the Nginx error.log
the “inappropriate fallback” is basically the only error I get a
perpetual flow of.
If the TLS_FALLBACK_SCSV attempt is caused by a previously failed
connection, that must have been something different from a TLS error,
because “inappropriate fallback” is probably over 99% of the lines in
error.log - it's the only thing I see as logs are scrolling up in my
viewer.
Would clients actually attempt to send TLS_FALLBACK_SCSV even if the
previous connection attempt failed for reasons other than TLS? If, say,
the initial connection attempt failed at the TCP level? That sounds a
little strange to me.
Again, our clients are a mix of the average mobile devices in general
use these days.
--
Florin Andrei
http://florin.myip.org/
More information about the openssl-users
mailing list