Re: SSL error “inappropriate fallback” and TLS_FALLBACK_SCSV

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2017-06-01 02:13, Matt Caswell wrote:

The presence of this error doesn't actually mean that you are under
attack. It just means that the client made an earlier connection attempt
with a higher version number and it failed. There could be many reasons
for the failure. For example, plausibly, if you have a lot of mobile
clients then you could imagine that a network glitch could cause an
earlier attempt to fail.

It's interesting how I see a constant stream of “inappropriate fallback” errors in the logs, but this is pretty much the only error from a TLS perspective. Sure, there's the occasional certificate failure, like once every few minutes or so, and then, rarely, there's some ancient app trying SSLv3 (which is not enabled). But looking at the Nginx error.log the “inappropriate fallback” is basically the only error I get a perpetual flow of.

If the TLS_FALLBACK_SCSV attempt is caused by a previously failed connection, that must have been something different from a TLS error, because “inappropriate fallback” is probably over 99% of the lines in error.log - it's the only thing I see as logs are scrolling up in my viewer.

Would clients actually attempt to send TLS_FALLBACK_SCSV even if the previous connection attempt failed for reasons other than TLS? If, say, the initial connection attempt failed at the TCP level? That sounds a little strange to me.

Again, our clients are a mix of the average mobile devices in general use these days.

--
Florin Andrei
http://florin.myip.org/
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux