Hi,
we just ran into problems after a backend server was upgraded to support TLS
1.3 while the openssl pound runs with only supports TLS up to 1.2. The
connection failed with "tlsv1 alert inappropriate fallback". It turned out
that pound incorrectly sets SSL_MODE_SEND_FALLBACK_SCSV on backend
connections. A client should set this flag only after a connection with a
server failed and the client now retries with a lower TLS version. It must not
be used by clients like pound, which rely on the TLS version negotiation built
into the TLS protocol. So just drop the three lines in config.c (patch
attached).
[1] https://tools.ietf.org/html/rfc7507#section-1
[2]
https://github.com/openssl/openssl/blob/1d97c8435171a7af575f73c526d79e1ef0ee5960/ssl/ssl.h#L672
[3]
https://security.stackexchange.com/questions/70988/why-do-browsers-probe-and-fallback-or-why-ssl-mode-send-fallback-scsv
Regards,
Frank
--- config.c.orig 2018-05-11 12:16:05.000000000 +0200
+++ config.c 2018-12-22 23:19:53.912203188 +0100
@@ -347,9 +347,6 @@
SSL_CTX_set_app_data(res->ctx, res);
SSL_CTX_set_verify(res->ctx, SSL_VERIFY_NONE, NULL);
SSL_CTX_set_mode(res->ctx, SSL_MODE_AUTO_RETRY);
-#ifdef SSL_MODE_SEND_FALLBACK_SCSV
- SSL_CTX_set_mode(res->ctx, SSL_MODE_SEND_FALLBACK_SCSV);
-#endif
SSL_CTX_set_options(res->ctx, SSL_OP_ALL);
#ifdef SSL_OP_NO_COMPRESSION
SSL_CTX_set_options(res->ctx, SSL_OP_NO_COMPRESSION);
