Tls_fallback_scsv

Hi there,

Regarding POODLEbleed[1] issue, I’ve disable SSLv3 on ssl_protocols
directive. But, ssllabs.com says that :

---- snip ----
Downgrade attack prevention No, TLS_FALLBACK_SCSV not supported (more
info[2])
---- snip ----

But on LiteSpeed[3] configuration, it says yes.

---- snip ----
Downgrade attack prevention Yes, TLS_FALLBACK_SCSV supported
---- snip ----

With configuration:
---- snip ----
SSLHonorCipherOrder On
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
---- snip ----

$ nginx -v
nginx version: nginx/1.6.2
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-4) (GCC)
TLS SNI support enabled
[snip]
–add-module=/home/mockbuild/rpmbuild/SOURCES/ngx_pagespeed-release-1.9.32.1-beta

So the question is, how important it is?

---- Reference
[1] Protecting NGINX and NGINX Plus from the POODLE Attack
[2] draft-bmoeller-tls-downgrade-scsv-02 - TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks
[3]
Bot Verification

Regarding POODLEbleed[1] issue, I’ve disable SSLv3 on ssl_protocols

thats the most important part

directive. But, ssllabs.com says that :

---- snip ----
Downgrade attack prevention No, TLS_FALLBACK_SCSV not supported (more
info[2])

TLS_FALLBACK_SCSV also prevents downgrades from TLSv1.2 → TLSv1.1 →
TLSv1

and has got nothing to do with SSLv3

With configuration:
---- snip ----
SSLHonorCipherOrder On
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2

isnt this the apacheconfig?

So the question is, how important it is?

it is not yet important, but downgrade-attacks might happen
again.

do you have nginx with a different openssl-library installed, e.g.
statically linked

please paste the full output from

$ nginx -V

Posted at Nginx Forum:

Hi mex,

Yes, it’s apacheconfig, Litespeed is drop-in replacement for Apache.

Here is my full nginx -V http://fpaste.org/142890/60334141/raw

I don’t have nginx with different openssl-library installed.

Thanks.