According to the discussions in other threads, some applications
contain that kind of code, some don't.
Since alot of people are getting confused, I am asking that the
documentation clarify if only applications with that kind of code
need to do anything at all.
On 17-10-2014 18:25, Nou Dadoun wrote:
Since this is the users list (as opposed to the dev list) I’m a little
confused about point 2 there; my understanding from the sketchy
descriptions I’ve read is that the fallback to a lower version is
automatically done by openssl on connect failure as opposed to
something similar to the code snippet below being present in
application code. (i.e. I’m not sure whether you intend the “client”
in that description to be openssl library code or user application
code which calls into the library). Thanks … N
*From:*owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] *On Behalf Of *Jakob Bohm
*Sent:* October-17-14 7:59 AM
*To:* openssl-users@openssl.org
*Subject:* Please document the new SSL_MODE_SEND_FALLBACK_SCSV
The new SSL_MODE_SEND_FALLBACK_SCSV option is badly documented in
the wiki and man pages, which is going to cause a lot of problems
when people everywhere rush to incorporate the security fixes into
their code.
In particular, I find the following to be fully undocumented (except
by trying to read the code):
1. SSL_MODE_SEND_FALLBACK_SCSV was introduced in versions 1.0.1j,
1.0.0o and 0.9.8zc, not way back when SSL_CTX_set_mode() itself
was introduced. The information at the bottom of that manpage
needs to say that, like it already does for SSL_MODE_AUTO_RETRY.
2. [ THIS IS A GUESS ]
SSL_MODE_SEND_FALLBACK_SCSV should only be set if the client
contains code like the following:
/* pseudo code */
SSL_try_connect_(supporting versions x..y)
if (failed) {
SSL_try_connect_(supporting versions x..y-1)
if (failed) {
SSL_try_connect_(supporting versions x..y-2)
... (etc.)
}
}
In which case that code needs to change to
/* pseudo code */
SSL_try_connect_(supporting versions x..y)
/* No SSL_MODE_SEND_FALLBACK_SCSV when trying with highest
attempted y */
if (failed) {
SSL_try_connect_(supporting versions x..y-1,
SSL_MODE_SEND_FALLBACK_SCSV)
if (failed) {
SSL_try_connect_(supporting versions x..y-2,
SSL_MODE_SEND_FALLBACK_SCSV)
... (etc.)
}
}
(Note: The Internet draft says (in very technical terms) when an
SSL client should send the message, not when an application should
tell any given SSL library to do so, because that answer is expected
to differ between OpenSSL, Mozilla NSS, Microsoft SCHANNEL,
MatrixSSL and other SSL libraries).
3. Unlike the other SSL_MODE_ options, SSL_MODE_SEND_FALLBACK_SCSV
is not about an internal API behavior.
4. Why this isn't SSL_OPTION_SEND_FALLBACK_SCSV (there is probably
a good reason, but it isn't documented).
--
Jakob Bohm, CIO, partner, WiseMo A/S. http://www.wisemo.com
Transformervej 29, 2730 Herlev, Denmark. direct: +45 31 13 16 10
<call:+4531131610>
This message is only for its intended recipient, delete if misaddressed.
WiseMo - Remote Service Management for PCs, Phones and Embedded
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
