Enable TLS_FALLBACK_SCSV

The TLS Signaling Cipher Suite Value (SCSV) is protection against TLS/SSL downgrade attacks. If enabled, the server makes sure that the most robust protocol that both client and server understand is used.

Security Assessment

Security_Assessment_ EnableTLS_FALLBACK_SCSV

CVSS Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Vulnerability Information

The TLS Signaling Cipher Suite Value (SCSV) is protection against TLS/SSL downgrade attacks. If enabled, the server makes sure that the most robust protocol that both Client and server understand is used. If disabled and the TLS negotiation produces a weaker protocol, an attacker may have eavesdropped on the connection and changed the request in a way that he can break the encryption due to a vulnerable protocol.

Guides

Follow this guide to enable TLS_FALLBACK_SCSV:

OpenSSL

When OpenSSL is used as a base for the SSL/TLS encryption (e.g., for an Apache or Nginx webserver), update it to the latest version. The following versions are known to support TLS_FALLBACK_SCSV:

  • OpenSSL 1.0.1j
  • OpenSSL 1.0.0o
  • OpenSSL 0.9.8zc

E.g., run:

apt-get update; apt-get upgrade # Debian / Ubuntu
yum update # RHeL / CentOS
pacman -Syu # Arch Linux

 

Assumptions and Effects:

The draft RFC states that the server MUST refuse the connection if the maximum protocol version the server supports is higher than the one advertised within the Client Hello with the TLS_FALLBACK_SCSV signal. This assumes that the server supports all protocol versions between the Client’s stated version and the server’s maximum. What can the server infer about the Client? The Client supports at least one protocol version higher than that within the Client Hello. But that’s all the server knows. So what if one among those intermediate versions isn’t supported by the server and happens to be the highest version the Client supports?
In previous pentests, servers didn’t support TLSv1.1 but supported TLSv1.0 and TLSv1.2. Imagine a client that supports TLSv1.1 at best, so it starts off a TLSv1.1 connection. TLS allows the server to respond, saying effectively, “sorry, can’t do that, I can do TLSv1.0″. But suppose it’s one of those buggy servers that the downgrade fallback was intended for…In this case, the connection fails unexpectedly, and therefore the browser attempts the link again, using TLSv1.0 with the TLS_FALLBACK_SCSV signal. The server then refuses the relationship as its full TLS version is 1.2, and it assumes the Client can do better. But the Client doesn’t understand 1.2, and the server doesn’t want to speak 1.1. the two will never discuss with one another.

For more information about Crashtest Security, visit crashtest-security.com.