Enable TLS_FALLBACK_SCSV

The TLS Signaling Cipher Suite Value (SCSV) is a protection against TLS/SSL downgrade attacks. If enabled, the server makes sure that the strongest protocol that both client and server understand, is used.

Security Assessment

Security_Assessment_ EnableTLS_FALLBACK_SCSV

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Vulnerability Information

The TLS Signaling Cipher Suite Value (SCSV) is a protection against TLS/SSL downgrade attacks. If enabled, the server makes sure that the strongest protocol that both client and server understand, is used. If disabled and the TLS negotiation produces a weaker protocol, an attacker may have eavesdropped the connection and changed the request in a way, that he can break the encryption due to a weak protocol.

Guides

Follow this guide to enable TLS_FALLBACK_SCSV:

OpenSSL

When OpenSSL is used as base for the SSL/TLS encryption (e.g. for an Apache or Nginx webserver), update it to the latest version. The following versions are known to support TLS_FALLBACK_SCSV:

  • OpenSSL 1.0.1j
  • OpenSSL 1.0.0o
  • OpenSSL 0.9.8zc

E.g. run:

apt-get update; apt-get upgrade # Debian / Ubuntu
yum update # RHeL / CentOS
pacman -Syu # Arch Linux

For more information about Crashtest Security visit crashtest-security.com