diff --git a/crypto/src/crypto/tls/AbstractTlsClient.cs b/crypto/src/crypto/tls/AbstractTlsClient.cs
index fedca0934..ee7a93803 100644
--- a/crypto/src/crypto/tls/AbstractTlsClient.cs
+++ b/crypto/src/crypto/tls/AbstractTlsClient.cs
@@ -89,9 +89,9 @@ namespace Org.BouncyCastle.Crypto.Tls
public virtual bool IsFallback
{
/*
- * draft-ietf-tls-downgrade-scsv-00 4. [..] is meant for use by clients that repeat a
- * connection attempt with a downgraded protocol in order to avoid interoperability problems
- * with legacy servers.
+ * RFC 7507 4. The TLS_FALLBACK_SCSV cipher suite value is meant for use by clients that
+ * repeat a connection attempt with a downgraded protocol (perform a "fallback retry") in
+ * order to work around interoperability problems with legacy servers.
*/
get { return false; }
}
diff --git a/crypto/src/crypto/tls/AbstractTlsServer.cs b/crypto/src/crypto/tls/AbstractTlsServer.cs
index 9f549cfd1..d87a294f0 100644
--- a/crypto/src/crypto/tls/AbstractTlsServer.cs
+++ b/crypto/src/crypto/tls/AbstractTlsServer.cs
@@ -113,10 +113,10 @@ namespace Org.BouncyCastle.Crypto.Tls
public virtual void NotifyFallback(bool isFallback)
{
/*
- * draft-ietf-tls-downgrade-scsv-00 3. If TLS_FALLBACK_SCSV appears in
- * ClientHello.cipher_suites and the highest protocol version supported by the server is
- * higher than the version indicated in ClientHello.client_version, the server MUST respond
- * with an inappropriate_fallback alert.
+ * RFC 7507 3. If TLS_FALLBACK_SCSV appears in ClientHello.cipher_suites and the highest
+ * protocol version supported by the server is higher than the version indicated in
+ * ClientHello.client_version, the server MUST respond with a fatal inappropriate_fallback
+ * alert [..].
*/
if (isFallback && MaximumVersion.IsLaterVersionOf(mClientVersion))
throw new TlsFatalAlert(AlertDescription.inappropriate_fallback);
diff --git a/crypto/src/crypto/tls/AlertDescription.cs b/crypto/src/crypto/tls/AlertDescription.cs
index 49de60cea..4e2464b50 100644
--- a/crypto/src/crypto/tls/AlertDescription.cs
+++ b/crypto/src/crypto/tls/AlertDescription.cs
@@ -215,13 +215,13 @@ namespace Org.BouncyCastle.Crypto.Tls
public const byte unknown_psk_identity = 115;
/*
- * draft-ietf-tls-downgrade-scsv-00
+ * RFC 7507
*/
/**
* If TLS_FALLBACK_SCSV appears in ClientHello.cipher_suites and the highest protocol version
* supported by the server is higher than the version indicated in ClientHello.client_version,
- * the server MUST respond with an inappropriate_fallback alert.
+ * the server MUST respond with a fatal inappropriate_fallback alert [..].
*/
public const byte inappropriate_fallback = 86;
diff --git a/crypto/src/crypto/tls/CipherSuite.cs b/crypto/src/crypto/tls/CipherSuite.cs
index 1ed0a5ef3..5aa556389 100644
--- a/crypto/src/crypto/tls/CipherSuite.cs
+++ b/crypto/src/crypto/tls/CipherSuite.cs
@@ -331,6 +331,11 @@ namespace Org.BouncyCastle.Crypto.Tls
public const int TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8 = 0xC0AF;
/*
+ * RFC 7507
+ */
+ public const int TLS_FALLBACK_SCSV = 0x5600;
+
+ /*
* draft-ietf-tls-chacha20-poly1305-04
*/
public const int DRAFT_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 = 0xCCA8;
@@ -341,11 +346,6 @@ namespace Org.BouncyCastle.Crypto.Tls
public const int DRAFT_TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAD;
public const int DRAFT_TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 = 0xCCAE;
- /*
- * draft-ietf-tls-downgrade-scsv-00
- */
- public const int TLS_FALLBACK_SCSV = 0x5600;
-
public static bool IsScsv(int cipherSuite)
{
switch (cipherSuite)
diff --git a/crypto/src/crypto/tls/DtlsClientProtocol.cs b/crypto/src/crypto/tls/DtlsClientProtocol.cs
index 7cb554ae8..abb402077 100644
--- a/crypto/src/crypto/tls/DtlsClientProtocol.cs
+++ b/crypto/src/crypto/tls/DtlsClientProtocol.cs
@@ -431,10 +431,11 @@ namespace Org.BouncyCastle.Crypto.Tls
}
/*
- * draft-ietf-tls-downgrade-scsv-00 4. If a client sends a ClientHello.client_version
- * containing a lower value than the latest (highest-valued) version supported by the
- * client, it SHOULD include the TLS_FALLBACK_SCSV cipher suite value in
- * ClientHello.cipher_suites.
+ * RFC 7507 4. If a client sends a ClientHello.client_version containing a lower value
+ * than the latest (highest-valued) version supported by the client, it SHOULD include
+ * the TLS_FALLBACK_SCSV cipher suite value in ClientHello.cipher_suites [..]. (The
+ * client SHOULD put TLS_FALLBACK_SCSV after all cipher suites that it actually intends
+ * to negotiate.)
*/
if (fallback && !Arrays.Contains(state.offeredCipherSuites, CipherSuite.TLS_FALLBACK_SCSV))
{
diff --git a/crypto/src/crypto/tls/TlsClientProtocol.cs b/crypto/src/crypto/tls/TlsClientProtocol.cs
index c2447e434..4c2a0a545 100644
--- a/crypto/src/crypto/tls/TlsClientProtocol.cs
+++ b/crypto/src/crypto/tls/TlsClientProtocol.cs
@@ -871,10 +871,11 @@ namespace Org.BouncyCastle.Crypto.Tls
}
/*
- * draft-ietf-tls-downgrade-scsv-00 4. If a client sends a ClientHello.client_version
- * containing a lower value than the latest (highest-valued) version supported by the
- * client, it SHOULD include the TLS_FALLBACK_SCSV cipher suite value in
- * ClientHello.cipher_suites.
+ * RFC 7507 4. If a client sends a ClientHello.client_version containing a lower value
+ * than the latest (highest-valued) version supported by the client, it SHOULD include
+ * the TLS_FALLBACK_SCSV cipher suite value in ClientHello.cipher_suites [..]. (The
+ * client SHOULD put TLS_FALLBACK_SCSV after all cipher suites that it actually intends
+ * to negotiate.)
*/
if (fallback && !Arrays.Contains(mOfferedCipherSuites, CipherSuite.TLS_FALLBACK_SCSV))
{
|
