[openssl-users] SSL error “inappropriate fallback” and TLS_FALLBACK_SCSV
Florin Andrei
florin at andrei.myip.org
Thu Jun 1 19:12:41 UTC 2017
On 2017-06-01 11:43, Salz, Rich via openssl-users wrote:
>> Would clients actually attempt to send TLS_FALLBACK_SCSV even if the
>> previous connection attempt failed for reasons other than TLS? If,
>> say, the
>> initial connection attempt failed at the TCP level? That sounds a
>> little strange
>> to me.
>
> Yes they do.
>
> There are many badly written clients out there. Or poor libraries.
What I find surprising is the rate of these errors. For every 100
legitimate HTTP requests that make it to Nginx, I get 2.5 “inappropriate
fallback” SSL errors. That's a lot of noise.
I guess I'll have to adjust my expectations.
Related question: assuming the lists of TLS protocol versions and
ciphers I've enabled in Nginx are indeed exactly the same as the default
TLS policy in an AWS ALB, the errors I see now logged by Nginx should
be, more or less, the same population of errors I saw reflected in the
ALB metrics before, right? The whole point of this exercise is to
temporarily work around the lack of a TLS error log in an ALB. The error
rate does seem quite similar between ALB and Nginx. I'm just wondering
if the ALB is doing something that my standard Ubuntu openssl libraries
are not.
--
Florin Andrei
http://florin.myip.org/
More information about the openssl-users
mailing list