The TLS Signaling Cipher Suite Value (SCSV) is protection against TLS/SSL downgrade attacks. If enabled, the server makes sure that the strongest protocol that both client and server understand, is used.
Table of contents
TLS_FALLBACK_SCSV Security Assessment
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
TLS_FALLBACK_SCSV Vulnerability Information
The TLS Signaling Cipher Suite Value (SCSV) is protection against TLS/SSL downgrade attacks. If enabled, the server makes sure that the strongest protocol that both client and server understand, is used. If disabled and the TLS negotiation produces a weaker protocol, an attacker may have eavesdropped on the connection and changed the request in a way, that he can break the encryption due to a weak protocol.
How to Enable TLS_FALLBACK_SCSV
Follow this guide to enable TLS_FALLBACK_SCSV:
When OpenSSL is used as a base for the SSL/TLS encryption (e.g. for an Apache or Nginx webserver), update it to the latest version. The following versions are known to support TLS_FALLBACK_SCSV:
- OpenSSL 1.0.1j
- OpenSSL 1.0.0o
- OpenSSL 0.9.8zc
apt-get update; apt-get upgrade # Debian / Ubuntu yum update # RHeL / CentOS pacman -Syu # Arch Linux
TLS_FALLBACK_SCSV Assumptions and Effects
The draft RFC states that the connection MUST be refused by the server if the maximum protocol version the server supports is higher than the one advertised within the Client Hello with the TLS_FALLBACK_SCSV signal. This assumes that the server supports all protocol versions in between the client’s stated version and therefore the server’s maximum.
What can the server infer about the client? It’s clear the client supports at least a protocol version one higher than that within the Client Hello. But that’s all the server knows. So what if one among those intermediate versions isn’t supported by the server and happens to be the highest version the client supports?
In previous pentests, servers that don’t support TLSv1.1 but do support TLSv1.0 and TLSv1.2. Imagine a client that supports TLSv1.1 at the best so it starts off a TLSv1.1 connection. TLS allows for the server to respond saying effectively “sorry, can’t do that, I can do TLSv1.0″. But suppose it’s one of those buggy servers that the downgrade fallback was intended for…
In this case, the connection fails in an unexpected way and therefore the browser attempts the connection again, this point using TLSv1.0 with the TLS_FALLBACK_SCSV signal. The server then refuses the connection as its maximum TLS version is 1.2 and it assumes the client can do better. But, in fact, the client doesn’t understand 1.2 and the server doesn’t want to speak 1.1. the 2 will never discuss with one another.