0

One 1 machine I am using openssl 1.0.0m with only support for SSLv3 ciphers. I am also using Chrome 47 that uses this openssl server successfully. I am not setting SSLv3-fallback.

On another machine with the same setup Chrome sporadically displays (only in Chrome 46+, not IE/Firefox):

ERR_SSL_FALLBACK_BEYOND_MINIMUM_VERSION

ERR_EMPTY_RESPONSE

This happens even if SSLVersionFallbackMin=tls1 is used as a command line flag to start Chrome.

"An update on SSLv3 in Chrome." https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/Vnhy9aKM_l4

SSLv3-fallback is only needed to support buggy HTTPS servers. Servers that correctly support only SSLv3 will continue to work (for now) but some buggy servers may stop working.

How is it possible to determine specifically what the issue is with the "buggy" HTTPS server without updating the ciphers to TLS 1.2?

abalone
  • 211
  • 1
  • 2
  • 5
  • 1
    Are you running a 'buggy' HTTPS server ? – user9517 Dec 12 '15 at 07:30
  • 1
    I doubt that Chrome 47 is using OpenSSL, at least not the systems OpenSSL library. They've used to use NSS (except on Android) and are moving to BoringSSL (a stripped down fork of OpenSSL) – Steffen Ullrich Dec 12 '15 at 07:44
  • SSLv3 **ciphers** or SSLv3 **protocol** in OpenSSL? Those are different. OpenSSL 1.0.0 supports all ciphers tagged 'SSLv3' in both SSLv3 and TLSv1.0 protocols, and the common 'SSL23' API supports those two protocols if cipherlist is only SSLv3 ciphers. (Higher versions support them in TLSv1.1 and 1.2 also even though 4346 deletes export and 5246 deletes singleDES -- and 7465 deletes RC4. But you should config those off in all protocols.) If you can get a network trace or capture of the problem event, look at it and/or add or link it to your question. – dave_thompson_085 Dec 12 '15 at 10:32
  • By SSLv3, I mean that if run "openssl -ciphers -v" it only displays SSLv3 ciphers. By "network trace" would a Fiddler https trace suffice or is a Wireshark network trace necessary? I did look at a Fiddler trace but didn't see anything other than the error listed above. Maybe I missed something though. – abalone Dec 13 '15 at 06:04

0 Answers0