openssltls1.2libssltls1.3

Handshake Failure with TLS1.2 client and TLS1.3 server


After openssl upgrade to 1.1.1 version, I have a cenario where my client ( odbc) is running at TLS1.2 and my server (database) is running at TLS 1.3 and it fails with following error at client side.

"SSL Handshake Failure reason [error:1407743E:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert inappropriate fallback]."

In TLS 1.3 documentation it was written that fallback protection is enabled by default and when TLS 1.2 client communicates with TLS 1.3 server server sends special bytes for fallback protection.

Following are my doubts. -- Do i have to handle these special bytes at my client ? -- Is there any other handling that is needed at TLS 1.2 client to communicate with TLS 1.3 server ? -- Or is there any other reason for the failure ?


Solution

  • I'm guessing this is what happened:

    1) Client sends TLS 1.2 handshake
    2) Server closes connection because it only supports TLS 1.3
    3) Client retries with TLS 1.1 handshake with fallback SCSV (see RFC 7507)
    4) Server sends error message: inappropriate fallback

    The initial connection fails (step 2) because the client requests 1.2 and the server does not support it. The client retries with 1.1 in case the server might support this version. The fallback SCSV is sent to indicate that 1.1 is not the highest version the client supports.

    According to the SCSV RFC (7507):

    If TLS_FALLBACK_SCSV appears in ClientHello.cipher_suites and the highest protocol version supported by the server is higher than the version indicated in ClientHello.client_version, the server MUST respond with a fatal inappropriate_fallback alert.

    To answer your question, I believe the special bytes you mention are the SCSV, but this is sent by the client and handled by the server, so there is nothing to do on the client side. I believe the failure is due to the client and server not having a common version of TLS with which to communicate. If the client only supports 1.2 and the server only supports 1.3 they will not be able to agree on a version, and the connection will fail. Enabling TLS 1.2 at the server or 1.3 at the client should allow them to communicate.