Unverified Commit e0e1be74 authored by Adam Vartanian's avatar Adam Vartanian Committed by GitHub
Browse files

Don't send TLS_FALLBACK_SCSV if max version is >= 1.2 (#651)

TLS_FALLBACK_SCSV protects against downgrade attacks when clients
implement a version fallback independent of TLS version
negotiation, but if it's set on a non-fallback connection
attempt, it will prevent an otherwise-safe connection if the
server supports a version higher than the client does.  Because
the default OpenJDK TLS implementation doesn't support
TLS_FALLBACK_SCSV, some developers mistakenly enable it on every
connection due to thinking it's a normal cipher suite, which is
starting to cause issues when servers upgrade to TLS 1.3.

We can obviously omit it on connections with a max version of 1.3,
since that's Conscrypt's max version, so it can't be a version
fallback.

As far as connections with a max version of 1.2 are concerned, this
type of fallback is generally not needed any longer, since TLS
1.3-supporting servers should all perform version negotiation
properly.  (Chrome and Firefox have both disabled version fallback
entirely.)  Thus TLS_FALLBACK_SCSV's presence in connections with a
max version of 1.2 is significantly more likely to be a
misconfiguration than a true fallback indication.

We continue to include the cipher suite for connections with a max
version of 1.1 or lower.  First, flaws in pre-1.2 versions are more
likely to exist than flaws in 1.2, so the benefit of flagging
downgrades to those versions are higher.  As well, fallback is most
likely to be useful when dealing with buggy TLS 1.2 servers.

Fixes #574
parent 4100edbf
Loading
Loading
Loading
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment