On Tue, Oct 23, 2018 at 01:29:27PM +0100, Matt Caswell wrote:
> > So, I think client have set TLS_FALLBACK_SCSV in cipher suite list in
> > client hello.
>
> This suggests there is a bug in the client application. This can only
> happen if the client application calls SSL_CTX_set_mode() or
> SSL_set_mode() to set the SSL_MODE_SEND_FALLBACK_SCSV mode.
I have a somewhat plausible, if dicey hunch:
Perhaps some application developers got confused between
the similar functions SSL_CTX_set_session_cache_mode(3)
and SSL_CTX_set_mode(3) and called the wrong one?
It just so happens that we have:
include/openssl/ssl.h:# define SSL_MODE_SEND_FALLBACK_SCSV 0x00000080U
include/openssl/ssl.h:# define SSL_SESS_CACHE_NO_AUTO_CLEAR
0x0080
which means that someone calling:
SSL_CTX_set_mode(ctx, SSL_SESS_CACHE_NO_AUTO_CLEAR);
instead of:
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_NO_AUTO_CLEAR);
ends up doing exactly the wrong thing. Of course just as likely
or more, the documentation of SSL_MODE_SEND_FALLBACK_SCSV may have
been misunderstood, despite all the warnings.
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
