On 2017-06-01 02:13, Matt Caswell wrote:
The presence of this error doesn't actually mean that you are under
attack. It just means that the client made an earlier connection
attempt
with a higher version number and it failed. There could be many reasons
for the failure. For example, plausibly, if you have a lot of mobile
clients then you could imagine that a network glitch could cause an
earlier attempt to fail.
It's interesting how I see a constant stream of “inappropriate fallback”
errors in the logs, but this is pretty much the only error from a TLS
perspective. Sure, there's the occasional certificate failure, like once
every few minutes or so, and then, rarely, there's some ancient app
trying SSLv3 (which is not enabled). But looking at the Nginx error.log
the “inappropriate fallback” is basically the only error I get a
perpetual flow of.
If the TLS_FALLBACK_SCSV attempt is caused by a previously failed
connection, that must have been something different from a TLS error,
because “inappropriate fallback” is probably over 99% of the lines in
error.log - it's the only thing I see as logs are scrolling up in my
viewer.
Would clients actually attempt to send TLS_FALLBACK_SCSV even if the
previous connection attempt failed for reasons other than TLS? If, say,
the initial connection attempt failed at the TCP level? That sounds a
little strange to me.
Again, our clients are a mix of the average mobile devices in general
use these days.
--
Florin Andrei
http://florin.myip.org/
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
