[openssl-users] Reg issue in alert message

Michael Wojcik Michael.Wojcik at microfocus.com
Tue Oct 23 15:37:25 UTC 2018

> From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf
> Of Viktor Dukhovni
> Sent: Tuesday, October 23, 2018 10:02
> On Tue, Oct 23, 2018 at 01:29:27PM +0100, Matt Caswell wrote:
> > > So, I think client have set TLS_FALLBACK_SCSV in cipher suite list in
> > > client hello.
> >
> > This suggests there is a bug in the client application. This can only
> > happen if the client application calls SSL_CTX_set_mode() or
> > SSL_set_mode() to set the SSL_MODE_SEND_FALLBACK_SCSV mode.
> I have a somewhat plausible, if dicey hunch:
>     Perhaps some application developers got confused between
>     the similar functions SSL_CTX_set_session_cache_mode(3)
>     and SSL_CTX_set_mode(3) and called the wrong one?

Certainly possible, but I wouldn't discount the possibility that someone simply thought setting SSL_MODE_SEND_FALLBACK_SCSV was the Right Thing. There was a fair bit of confusion around the Fallback SCSV when it first appeared (we had questions from customers that indicated they didn't understand it, and I had to read the ID to make sure I did). And, of course, TLS is mightly confusing in general.

It is interesting to note that those two options happen to have the same value, though, particularly given the similarity of the two function names.

This is one of those cases where C's weak type system is a problem. Though it would be nice if OpenSSL used enums rather than macros for these things.

Michael Wojcik
Distinguished Engineer, Micro Focus

More information about the openssl-users mailing list