On Thu, Oct 11, 2018 at 07:03:21PM -0500, Benjamin Kaduk wrote:

> I would guess that the misbehaving clients are early openssl betas
> that receive the real TLS 1.3 version and then try to interpret
> as whatever draft versino they actually implemnet.

Early, partial reports of the cause seem to indicate that the sending
side was using OpenSSL with:

        SSL_CTX_set_mode(ctx, SSL_MODE_SEND_FALLBACK_SCSV);

seemingly despite no prior handshake failure, this is of course
fatally wrong.  But my question remains, should/could we provide a
control that ignores fallback signals from clients, and keeps going?
Either regardless of the resulting protocol version, or perhaps if
it is at least some acceptable floor?

That way, applications like MTAs that do opportunistic TLS, could
keep going with TLS 1.2, since failing to negotiate TLS will typically
result in downgrade to cleartext, rather than protection from TLS
version downgrades.  Such a mechanism might also make it possible
to support connections from a small fraction of broken clients,
without disabling TLS 1.3 globally.

-- 
        Viktor.
_______________________________________________
openssl-project mailing list
openssl-project@openssl.org
https://mta.openssl.org/mailman/listinfo/openssl-project

Reply via email to