[openssl-users] Reg issue in alert message
Viktor Dukhovni
openssl-users at dukhovni.org
Tue Oct 23 14:01:57 UTC 2018
On Tue, Oct 23, 2018 at 01:29:27PM +0100, Matt Caswell wrote:
> > So, I think client have set TLS_FALLBACK_SCSV in cipher suite list in
> > client hello.
>
> This suggests there is a bug in the client application. This can only
> happen if the client application calls SSL_CTX_set_mode() or
> SSL_set_mode() to set the SSL_MODE_SEND_FALLBACK_SCSV mode.
I have a somewhat plausible, if dicey hunch:
Perhaps some application developers got confused between
the similar functions SSL_CTX_set_session_cache_mode(3)
and SSL_CTX_set_mode(3) and called the wrong one?
It just so happens that we have:
include/openssl/ssl.h:# define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080U
include/openssl/ssl.h:# define SSL_SESS_CACHE_NO_AUTO_CLEAR 0x0080
which means that someone calling:
SSL_CTX_set_mode(ctx, SSL_SESS_CACHE_NO_AUTO_CLEAR);
instead of:
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_NO_AUTO_CLEAR);
ends up doing exactly the wrong thing. Of course just as likely
or more, the documentation of SSL_MODE_SEND_FALLBACK_SCSV may have
been misunderstood, despite all the warnings.
--
Viktor.
More information about the openssl-users
mailing list