The TLS Signaling Cipher Suite Value (SCSV) is a protection against TLS/SSL downgrade attacks. If enabled, the server makes sure that the strongest protocol that both client and server understand, is used.
Security Assessment
CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Vulnerability Information
The TLS Signaling Cipher Suite Value (SCSV) is a protection against TLS/SSL downgrade attacks. If enabled, the server makes sure that the strongest protocol that both client and server understand, is used. If disabled and the TLS negotiation produces a weaker protocol, an attacker may have eavesdropped the connection and changed the request in a way, that he can break the encryption due to a weak protocol.
Guides
Follow this guide to enable TLS_FALLBACK_SCSV:
OpenSSL
When OpenSSL is used as base for the SSL/TLS encryption (e.g. for an Apache or Nginx webserver), update it to the latest version. The following versions are known to support TLS_FALLBACK_SCSV:
- OpenSSL 1.0.1j
- OpenSSL 1.0.0o
- OpenSSL 0.9.8zc
E.g. run:
apt-get update; apt-get upgrade # Debian / Ubuntu
yum update # RHeL / CentOS
pacman -Syu # Arch Linux