Hi Bodo. Many thanks for the OOB patch that I just saw commited to git.
Any reason for the s_client -fallback_scsv option check to be within an
#ifndef OPENSSL_NO_DTLS1 block?

Thanks.

--mancha

Note that the CVE identifier was assigned to the SSL 3.0 protocol issue
related to CBC padding. The new SCSV does not help with that at all.
But that's not a problem: when both parties support TLS, OpenSSL is not
vulnerable even if both sides still enable SSL 3.0 for interoperability
reasons with other peers.

MITRE has not issued a CVE for the broken fallback behavior because it
is not a security vulnerability—it works as designed. This means that
the TLS_FALLBACK_SCSV patch currently has no CVE associated with it.

Thanks for the patch.

Is there a way to compile without the patch? I think I would rather
'config no=ssl3' and omit the additional complexity. Its additional
protocol complexity and heartbleed is still fresh in my mind.

Also, are there any test cases that accompany the patch? I'm trying to
figure out when, exactly, SSL_MODE_SEND_FALLBACK_SCSV needs to be set
(using the sources as a guide).
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users-MCmKBN63+***@public.gmane.org
Automated List Manager majordomo-MCmKBN63+***@public.gmane.org

This patch seems to be the cause of a failure in ‘make errors’:

/usr/bin/perl util/ck_errf.pl -strict */*.c */*/*.c
/usr/bin/perl util/mkerr.pl -recurse -write
Invalid error code SEGMENT_SIZE
Invalid error code PRIME_SANITY_LIMIT
!! ERROR: SSL reason code 373 assigned twice (collision at SSL_R_RFC5430_CURVE_MISMATCH)

I’m guessing this patch (or part of it) was incorporated into 1.0.1j, because this error, and the causal code, showed up after we synced to 1.0.1j. The problem is that both SSL_R_INAPPROPRIATE_FALLBACK (added in this patch) and SSL_R_RFC5430_CURVE_MISMATCH are set to 373. I think the solution is to change the value of SSL_R_INAPPROPRIATE_FALLBACK to 374 (which appears nowhere in <openssl>/ssl/ssl.h.

From: owner-openssl-***@openssl.org [mailto:owner-openssl-***@openssl.org] On Behalf Of Bodo Moeller
Sent: Tuesday, October 14, 2014 7:47 PM
To: openssl-***@openssl.org; openssl-***@openssl.org
Subject: Patch to mitigate CVE-2014-3566 ("POODLE")

Here's a patch for the OpenSSL 1.0.1 branch that adds support for TLS_FALLBACK_SCSV, which can be used to counter the POODLE attack (CVE-2014-3566; https://www.openssl.org/~bodo/ssl-poodle.pdf).

Note well that this is not about a bug in OpenSSL -- it's a protocol issue. If SSL 3.0 is disabled in either the client or in the server, that is completely sufficient to avoid the POODLE attack. (Also, there's only a vulnerability if the client actively falls back to SSL 3.0 in case that TLS connections don't work -- but many browsers still do that to ensure interoperability with broken legacy servers.) If you can't yet disable SSL 3.0 entirely, TLS_FALLBACK_SCSV can help avoid the attack, if both the client and the server support it.

Server-side TLS_FALLBACK_SCSV support is automatically provided if you use the patch. Clients that do fallback connections downgrading the protocol version should use SSL_set_mode(ssl, SSL_MODE_SEND_FALLBACK_SCSV) for such downgraded connections.

The OpenSSL team will follow up with official releases that will include TLS_FALLBACK_SCSV support. Meanwhile, if you can't simply disable SSL 3.0, you may want to use this patch.

Bodo