3

Similar to this security stackexchange question, I was wondering if there's any downside, considering the services/servers security, if only TLS 1.2 allowed, but TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks is not enabled.

Theoretically, I don't see any effect of the missing SCSV, as there's only TLS 1.2 available anyways, but I'm not 100% sure.

What effect does the absence of SCSV have, if only TLS 1.2 is allowed in the first place?

Community
  • 1
Breakfast Serial
  • 85
  • 1
  • 1
  • 6
  • What do you mean by "not enabled" on the server? Does that mean that the server will silently ignore it if it ever sees it? -- It's the client who is responsibly for setting this *"I've just just done a manual last resort fallback because you obviously can't handle a graceful fallback"* SCSV-flag. And the server is then required to either say *"Wait a minute! I can totally do a graceful fallback! Someone is messing with the connection! Quitting now!"* or say nothing because it really is that old and doesn't know SCSV yet. – StackzOfZtuff Jun 28 '17 at 08:48
  • "Not enabled", as in, "Only TLS 1.2 is enabled.". On NGINX this would look like `ssl_protocols TLSv1.2;`. Could you clarify your comment? I'm not sure what you're trying to tell me. – Breakfast Serial Jun 28 '17 at 10:59
  • But can you actually explicitly disable SCSV? (The handling algorithm I described above.) – StackzOfZtuff Jun 29 '17 at 08:52

1 Answers1

1

Since the SCSV is merely a method to prevent downgrading and your server does not support any other protocols to downgrade to, I do not see any downside to that.

Correct me if I am wrong, but the SCSV would be for nothing with TLS 1.2 allowed only anyways.

MikeDyson
  • 23
  • 1
  • 4