Hi, Using OpenSSL 1.0.1j 15 Oct 2014 on a GNU/Linux machine, I observe that if openssl s_server receives a ClientHello with FALLBACK_SCSV before the actual ciphersuites, it breaks the handshake with a fatal handshake_failure(40) alert, regardless of whether the version is the highest supported or not.
% openssl s_server -www -cert some.crt -key some.key -debug Using default temp DH parameters Using default temp ECDH parameters ACCEPT read from 0x20531d0 [0x20588c0] (11 bytes => 11 (0xB)) 0000 - 16 03 01 00 89 01 00 00-85 03 03 ........... read from 0x20531d0 [0x20588ce] (131 bytes => 131 (0x83)) 0000 - 54 44 ed 69 3a 59 5f dd-0b 5c 68 89 9c 6f e5 32 TD.i:Y_..\h..o.2 0010 - 58 5c 31 e0 6f 6b e8 b6-c8 c9 a4 6d 90 af f0 db X\1.ok.....m.... 0020 - 00 00 06 00 ff 56 00 c0-09 01 00 00 56 00 00 00 .....V......V... 0030 - 0e 00 0c 00 00 09 6c 6f-63 61 6c 68 6f 73 74 00 ......localhost. 0040 - 0d 00 1a 00 18 06 01 05-01 04 01 03 01 02 01 01 ................ 0050 - 01 06 03 05 03 04 03 03-03 02 03 01 03 00 0a 00 ................ 0060 - 18 00 16 00 19 00 1c 00-18 00 1b 00 17 00 16 00 ................ 0070 - 1a 00 15 00 14 00 13 00-12 00 0b 00 02 01 00 00 ................ 0080 - 23 # 0083 - <SPACES/NULS> write to 0x20531d0 [0x20623b0] (7 bytes => 7 (0x7)) 0000 - 15 03 03 00 02 02 28 ......( 140292492379792:error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher:s3_srvr.c:1360: ACCEPT (Ciphersuite list starts as 0x23 with EMPTY_RENEGOTIATION_INFO, followed by FALLBACK_SCSV, then TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA, which is supported.) The expected behaviour would be the one that happens when the SCSV is placed after the actual ciphersuites. Indeed, the draft does not mandate that the SCSV be at the end of the list, it merely states it "will generally" happen this way. Manuel. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [email protected]
