Enable TLS_FALLBACK_SCSV

    The TLS Signaling Cipher Suite Value (SCSV) is a protection against TLS/SSL downgrade attacks. If enabled, the server makes sure that the strongest protocol that both client and server understand, is used.

    Security Assessment

    Security_Assessment_ EnableTLS_FALLBACK_SCSV

    CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

    Vulnerability Information

    The TLS Signaling Cipher Suite Value (SCSV) is a protection against TLS/SSL downgrade attacks. If enabled, the server makes sure that the strongest protocol that both client and server understand, is used. If disabled and the TLS negotiation produces a weaker protocol, an attacker may have eavesdropped the connection and changed the request in a way, that he can break the encryption due to a weak protocol.

    Guides

    Follow this guide to enable TLS_FALLBACK_SCSV:

    OpenSSL

    When OpenSSL is used as base for the SSL/TLS encryption (e.g. for an Apache or Nginx webserver), update it to the latest version. The following versions are known to support TLS_FALLBACK_SCSV:

    • OpenSSL 1.0.1j
    • OpenSSL 1.0.0o
    • OpenSSL 0.9.8zc

    E.g. run:

    apt-get update; apt-get upgrade # Debian / Ubuntu
    yum update                      # RHeL / CentOS
    pacman -Syu                     # Arch Linux

    For more information about Crashtest Security visit crashtest-security.com

    Crashtest Security GmbH Wiki