Description: Wrong use of Fallback SCSV / TLS1.3 interoperability
 Hi,
 .
 we just ran into problems after a backend server was upgraded to support TLS
 1.3 while the openssl pound runs with only supports TLS up to 1.2. The
 connection failed with "tlsv1 alert inappropriate fallback". It turned out
 that pound incorrectly sets SSL_MODE_SEND_FALLBACK_SCSV on backend
 connections. A client should set this flag only after a connection with a
 server failed and the client now retries with a lower TLS version. It must not
 be used by clients like pound, which rely on the TLS version negotiation built
 into the TLS protocol. So just drop the three lines in config.c (patch
 attached).
 .
 [1] https://tools.ietf.org/html/rfc7507#section-1
 [2] https://github.com/openssl/openssl/blob/1d97c8435171a7af575f73c526d79e1ef0ee5960/ssl/ssl.h#L672
 [3] https://security.stackexchange.com/questions/70988/why-do-browsers-probe-and-fallback-or-why-ssl-mode-send-fallback-scsv
 .
 Regards,
 Frank
Author: Frank Schmirler <frank.schmirler@linogate.com>
Date: 2018-12-22 23:47:50
Origin: http://www.apsis.ch/pound/pound_list/archive/2018/2018-12/1545518870000


--- a/config.c
+++ b/config.c
@@ -356,9 +356,6 @@
             SSL_CTX_set_app_data(res->ctx, res);
             SSL_CTX_set_verify(res->ctx, SSL_VERIFY_NONE, NULL);
             SSL_CTX_set_mode(res->ctx, SSL_MODE_AUTO_RETRY);
-#ifdef SSL_MODE_SEND_FALLBACK_SCSV
-            SSL_CTX_set_mode(res->ctx, SSL_MODE_SEND_FALLBACK_SCSV);
-#endif
             SSL_CTX_set_options(res->ctx, SSL_OP_ALL);
 #ifdef  SSL_OP_NO_COMPRESSION
             SSL_CTX_set_options(res->ctx, SSL_OP_NO_COMPRESSION);
