Re: SSL error “inappropriate fallback” and TLS_FALLBACK_SCSV

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 2017-06-01 11:43, Salz, Rich via openssl-users wrote:
Would clients actually attempt to send TLS_FALLBACK_SCSV even if the
previous connection attempt failed for reasons other than TLS? If, say, the initial connection attempt failed at the TCP level? That sounds a little strange
to me.

Yes they do.

There are many badly written clients out there.  Or poor libraries.

What I find surprising is the rate of these errors. For every 100 legitimate HTTP requests that make it to Nginx, I get 2.5 “inappropriate fallback” SSL errors. That's a lot of noise.

I guess I'll have to adjust my expectations.

Related question: assuming the lists of TLS protocol versions and ciphers I've enabled in Nginx are indeed exactly the same as the default TLS policy in an AWS ALB, the errors I see now logged by Nginx should be, more or less, the same population of errors I saw reflected in the ALB metrics before, right? The whole point of this exercise is to temporarily work around the lack of a TLS error log in an ALB. The error rate does seem quite similar between ALB and Nginx. I'm just wondering if the ALB is doing something that my standard Ubuntu openssl libraries are not.

--
Florin Andrei
http://florin.myip.org/
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux