Hi, we just ran into problems after a backend server was upgraded to support TLS 1.3 while the openssl pound runs with only supports TLS up to 1.2. The connection failed with "tlsv1 alert inappropriate fallback". It turned out that pound incorrectly sets SSL_MODE_SEND_FALLBACK_SCSV on backend connections. A client should set this flag only after a connection with a server failed and the client now retries with a lower TLS version. It must not be used by clients like pound, which rely on the TLS version negotiation built into the TLS protocol. So just drop the three lines in config.c (patch attached).
[1] https://tools.ietf.org/html/rfc7507#section-1 [2] https://github.com/openssl/openssl/blob/1d97c8435171a7af575f73c526d79e1ef0ee5960/ssl/ssl.h#L672 [3] https://security.stackexchange.com/questions/70988/why-do-browsers-probe-and-fallback-or-why-ssl-mode-send-fallback-scsv Regards, Frank
--- config.c.orig 2018-05-11 12:16:05.000000000 +0200 +++ config.c 2018-12-22 23:19:53.912203188 +0100 @@ -347,9 +347,6 @@ SSL_CTX_set_app_data(res->ctx, res); SSL_CTX_set_verify(res->ctx, SSL_VERIFY_NONE, NULL); SSL_CTX_set_mode(res->ctx, SSL_MODE_AUTO_RETRY); -#ifdef SSL_MODE_SEND_FALLBACK_SCSV - SSL_CTX_set_mode(res->ctx, SSL_MODE_SEND_FALLBACK_SCSV); -#endif SSL_CTX_set_options(res->ctx, SSL_OP_ALL); #ifdef SSL_OP_NO_COMPRESSION SSL_CTX_set_options(res->ctx, SSL_OP_NO_COMPRESSION);