On 2017-06-01 11:43, Salz, Rich via openssl-users wrote:
Would clients actually attempt to send TLS_FALLBACK_SCSV even if the
previous connection attempt failed for reasons other than TLS? If,
say, the
initial connection attempt failed at the TCP level? That sounds a
little strange
to me.
Yes they do.
There are many badly written clients out there. Or poor libraries.
What I find surprising is the rate of these errors. For every 100
legitimate HTTP requests that make it to Nginx, I get 2.5 “inappropriate
fallback” SSL errors. That's a lot of noise.
I guess I'll have to adjust my expectations.
Related question: assuming the lists of TLS protocol versions and
ciphers I've enabled in Nginx are indeed exactly the same as the default
TLS policy in an AWS ALB, the errors I see now logged by Nginx should
be, more or less, the same population of errors I saw reflected in the
ALB metrics before, right? The whole point of this exercise is to
temporarily work around the lack of a TLS error log in an ALB. The error
rate does seem quite similar between ALB and Nginx. I'm just wondering
if the ALB is doing something that my standard Ubuntu openssl libraries
are not.
--
Florin Andrei
http://florin.myip.org/
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users