Comments (5)
For the time being, we're going to hold off on bringing TLS_FALLBACK_SCSV support in - if we do end up adding support for it, we will do it after further consideration and avoid rushing it in. If we decide to pull this in I'll take a closer look at your diff.
TLS_FALLBACK_SCSV is only useful in the case where a client willingly chooses to do a downgrade and attempts to establish a second connection at a lower protocol after the previous one unexpectedly failed. In short, the client should not do this - client-side fallback is dangerous ("a landmine" to quote agl). TLS_FALLBACK_SCSV only works if both ends support it and it is largely a case of adding a workaround to support/enforce insecure behaviour. Unless you control both ends, you cannot be sure TLS_FALLBACK_SCSV is available and if you do control both ends you can either force TLS 1.2 and/or avoid client-side downgrade.
from portable.
I'm just gonna note that TLS_FALLBACK_SCSV support is now required for SSL Labs A+ rating, and that TLS_FALLBACK_SCSV is supported by both Chrome 33+ and Firefox 35+.
Server admins wanting to support this feature is then required to use ie. OpenSSL or BoringSSL.
I get why client-side fallback is dangerous, and in a perfect world clients and servers would use tls version negotiation to agree on a version, but sadly this is not the case with browsers as-is.
So for all us server admins out there, dealing with HTTPS, and wanting to provide the best possible security for the browsers we don't control, I urge you to add support.
from portable.
+1 to add support. I would like to see A+ results for LibreSSL powered servers again.
from portable.
Based on their replies, I don't think I would grant that rating too much
credence - the people in charge of it seem more concerned with the A+
rating meaning "it supports all the features" - as they don't appear to be
willing to discuss the issues of the fact that FALLBACK_SCV isn't standard
yet, and has
some serious potential problems.
On Tue, Dec 23, 2014 at 9:50 AM, Simon Eisenmann [email protected]
wrote:
+1 to add support. I would like to see A+ results for LibreSSL powered
servers again.Reply to this email directly or view it on GitHub
#36 (comment)
.
from portable.
Server-side TLS_FALLBACK_SCSV support has reluctantly been added to LibreSSL.
from portable.
Related Issues (20)
- libressl 3.8.3 build fail with error: invalid instruction mnemonic 'endbr64' HOT 3
- LibreSSL 3.8.3 fails to build with `syntax error: _CET_ENDBR` (Windows, MSVC, x64) HOT 7
- Windows MinGW build failing with Bad file number HOT 8
- libressl-3.9.0: build fails for ios HOT 13
- Building on MINGW64_NT-10.0-19045 fails with "../../libtool: line 1900: /mingw64/bin/gcc: Argument list too long" in libressl/apps/ocspcheck HOT 1
- Build fail : missing RC4 git HEAD HOT 2
- SIGSEGV in `bn_bitsize` triggerable via remote (s_client) HOT 1
- Use of SHA ISA Extensions
- CI on Solaris started failing whirlpool_test HOT 3
- Expected steps for Visual Studio native build on x64 Windows 10 HOT 4
- BN_mod_exp_mont_word() is not a public symbol HOT 3
- Why was X509V3_EXT_cleanup() removed? HOT 4
- Crosscompile linux to windows: linking fails, undefined reference SSL_library_init 3.9.2 HOT 4
- Unsupported platforms should fail earlier in the configuration process HOT 4
- Unexpected "unknown pkey type" errors during TLSv1.3 handshakes on server with multiple certificates HOT 1
- SSL_get_certificate() returns wrong certificate HOT 6
- `compat/stdint.h` missing from source tarball HOT 7
- ssl_tlsext.c:1608:30: warning: 'client_preferred_group' may be used uninitialized in this function HOT 5
- Is LibreSSL affected by the OpenSSH regreSSHion vulnerability (CVE-2024-6387)? HOT 3
- posix_win.c: is_socket(int fd) fails at any socket whose value also exists as a file descriptor
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from portable.