[openssl-users] SSL error “inappropriate fallback” and TLS_FALLBACK_SCSV

Florin Andrei florin at andrei.myip.org
Thu Jun 1 19:12:41 UTC 2017

On 2017-06-01 11:43, Salz, Rich via openssl-users wrote:
>> Would clients actually attempt to send TLS_FALLBACK_SCSV even if the
>> previous connection attempt failed for reasons other than TLS? If, 
>> say, the
>> initial connection attempt failed at the TCP level? That sounds a 
>> little strange
>> to me.
> Yes they do.
> There are many badly written clients out there.  Or poor libraries.

What I find surprising is the rate of these errors. For every 100 
legitimate HTTP requests that make it to Nginx, I get 2.5 “inappropriate 
fallback” SSL errors. That's a lot of noise.

I guess I'll have to adjust my expectations.

Related question: assuming the lists of TLS protocol versions and 
ciphers I've enabled in Nginx are indeed exactly the same as the default 
TLS policy in an AWS ALB, the errors I see now logged by Nginx should 
be, more or less, the same population of errors I saw reflected in the 
ALB metrics before, right? The whole point of this exercise is to 
temporarily work around the lack of a TLS error log in an ALB. The error 
rate does seem quite similar between ALB and Nginx. I'm just wondering 
if the ALB is doing something that my standard Ubuntu openssl libraries 
are not.

Florin Andrei

More information about the openssl-users mailing list