Reluctantly add server-side support for TLS_FALLBACK_SCSV.

This allows for clients that willingly choose to perform a downgrade and
attempt to establish a second connection at a lower protocol after the
previous attempt unexpectedly failed, to be notified and have the second
connection aborted, if the server does in fact support a higher protocol.

TLS has perfectly good version negotiation and client-side fallback is
dangerous. Despite this, in order to maintain maximum compatability with
broken web servers, most mainstream browsers implement this. Furthermore,
TLS_FALLBACK_SCSV only works if both the client and server support it and
there is effectively no way to tell if this is the case, unless you control
both ends.

Unfortunately, various auditors and vulnerability scanners (including
certain online assessment websites) consider the presence of a not yet
standardised feature to be important for security, even if the clients do
not perform client-side downgrade or the server only supports current TLS
protocols.

Diff is loosely based on OpenSSL with some inspiration from BoringSSL.

Discussed with beck@ and miod@.

ok bcook@

15 files changed, 159 insertions, 25 deletions

diff --git a/src/lib/libssl/src/ssl/s3_enc.c b/src/lib/libssl/src/ssl/s3_enc.c
index 0c7cda3c60..7e244b6c19 100644
--- a/src/lib/libssl/src/ssl/s3_enc.c
+++ b/src/lib/libssl/src/ssl/s3_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s3_enc.c,v 1.58 2014/12/15 00:46:53 doug Exp $ */
+/* $OpenBSD: s3_enc.c,v 1.59 2015/02/22 15:54:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -846,6 +846,8 @@ ssl3_alert_code(int code)
                 return (SSL3_AD_HANDSHAKE_FAILURE);
         case SSL_AD_UNKNOWN_PSK_IDENTITY:
                 return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
+        case SSL_AD_INAPPROPRIATE_FALLBACK:
+                return (TLS1_AD_INAPPROPRIATE_FALLBACK);
         default:
                 return (-1);
         }
diff --git a/src/lib/libssl/src/ssl/ssl.h b/src/lib/libssl/src/ssl/ssl.h
index 626b967f15..73d007400f 100644
--- a/src/lib/libssl/src/ssl/ssl.h
+++ b/src/lib/libssl/src/ssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.82 2015/02/12 03:45:25 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.83 2015/02/22 15:54:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1363,7 +1363,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_AD_UNRECOGNIZED_NAME        TLS1_AD_UNRECOGNIZED_NAME
 #define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
 #define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
-#define SSL_AD_UNKNOWN_PSK_IDENTITY     TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
+#define SSL_AD_UNKNOWN_PSK_IDENTITY     TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
+#define SSL_AD_INAPPROPRIATE_FALLBACK   TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */
 
 #define SSL_ERROR_NONE                  0
 #define SSL_ERROR_SSL                   1
@@ -2174,6 +2175,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_HTTPS_PROXY_REQUEST                        155
 #define SSL_R_HTTP_REQUEST                               156
 #define SSL_R_ILLEGAL_PADDING                            283
+#define SSL_R_INAPPROPRIATE_FALLBACK                     373
 #define SSL_R_INCONSISTENT_COMPRESSION                   340
 #define SSL_R_INVALID_CHALLENGE_LENGTH                   158
 #define SSL_R_INVALID_COMMAND                            280
@@ -2319,6 +2321,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED              1021
 #define SSL_R_TLSV1_ALERT_DECRYPT_ERROR                  1051
 #define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION             1060
+#define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK         1086
 #define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY          1071
 #define SSL_R_TLSV1_ALERT_INTERNAL_ERROR                 1080
 #define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION               1100
diff --git a/src/lib/libssl/src/ssl/ssl3.h b/src/lib/libssl/src/ssl/ssl3.h
index 644e8df16b..61f600c55d 100644
--- a/src/lib/libssl/src/ssl/ssl3.h
+++ b/src/lib/libssl/src/ssl/ssl3.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl3.h,v 1.35 2015/02/12 03:45:25 jsing Exp $ */
+/* $OpenBSD: ssl3.h,v 1.36 2015/02/22 15:54:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -125,9 +125,12 @@
 extern "C" {
 #endif
 
-/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */
+/* TLS_EMPTY_RENEGOTIATION_INFO_SCSV from RFC 5746. */
 #define SSL3_CK_SCSV                            0x030000FF
 
+/* TLS_FALLBACK_SCSV from draft-ietf-tls-downgrade-scsv-03. */
+#define SSL3_CK_FALLBACK_SCSV                   0x03005600
+
 #define SSL3_CK_RSA_NULL_MD5                    0x03000001
 #define SSL3_CK_RSA_NULL_SHA                    0x03000002
 #define SSL3_CK_RSA_RC4_40_MD5                  0x03000003
diff --git a/src/lib/libssl/src/ssl/ssl_err.c b/src/lib/libssl/src/ssl/ssl_err.c
index 891d5216c2..04742b60ca 100644
--- a/src/lib/libssl/src/ssl/ssl_err.c
+++ b/src/lib/libssl/src/ssl/ssl_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_err.c,v 1.28 2014/12/14 15:30:50 jsing Exp $ */
+/* $OpenBSD: ssl_err.c,v 1.29 2015/02/22 15:54:27 jsing Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -385,6 +385,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {
         {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST)   , "https proxy request"},
         {ERR_REASON(SSL_R_HTTP_REQUEST)          , "http request"},
         {ERR_REASON(SSL_R_ILLEGAL_PADDING)       , "illegal padding"},
+        {ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK), "inappropriate fallback"},
         {ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION), "inconsistent compression"},
         {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH), "invalid challenge length"},
         {ERR_REASON(SSL_R_INVALID_COMMAND)       , "invalid command"},
@@ -530,6 +531,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {
         {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED), "tlsv1 alert decryption failed"},
         {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR), "tlsv1 alert decrypt error"},
         {ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION), "tlsv1 alert export restriction"},
+        {ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK), "tlsv1 alert inappropriate fallback"},
         {ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY), "tlsv1 alert insufficient security"},
         {ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR), "tlsv1 alert internal error"},
         {ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION), "tlsv1 alert no renegotiation"},
diff --git a/src/lib/libssl/src/ssl/ssl_lib.c b/src/lib/libssl/src/ssl/ssl_lib.c
index 58835931d2..d7b5283501 100644
--- a/src/lib/libssl/src/ssl/ssl_lib.c
+++ b/src/lib/libssl/src/ssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.100 2015/02/22 15:29:39 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.101 2015/02/22 15:54:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1419,7 +1419,9 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num,
         const SSL_CIPHER        *c;
         STACK_OF(SSL_CIPHER)    *sk;
         int                      i;
+        unsigned long            cipher_id;
         uint16_t                 cipher_value;
+        uint16_t                 max_version;
 
         if (s->s3)
                 s->s3->send_connection_binding = 0;
@@ -1440,10 +1442,13 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num,
 
         for (i = 0; i < num; i += SSL3_CIPHER_VALUE_SIZE) {
                 n2s(p, cipher_value);
+                cipher_id = SSL3_CK_ID | cipher_value;
 
-                /* Check for SCSV */
-                if (s->s3 && (SSL3_CK_ID | cipher_value) == SSL3_CK_SCSV) {
-                        /* SCSV is fatal if renegotiating. */
+                if (s->s3 != NULL && cipher_id == SSL3_CK_SCSV) {
+                        /*
+                         * TLS_EMPTY_RENEGOTIATION_INFO_SCSV is fatal if
+                         * renegotiating.
+                         */
                         if (s->renegotiate) {
                                 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
                                     SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
@@ -1456,6 +1461,25 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num,
                         continue;
                 }
 
+                if (cipher_id == SSL3_CK_FALLBACK_SCSV) {
+                        /*
+                         * TLS_FALLBACK_SCSV indicates that the client
+                         * previously tried a higher protocol version.
+                         * Fail if the current version is an unexpected
+                         * downgrade.
+                         */
+                        max_version = ssl_max_server_version(s);
+                        if (max_version == 0 || s->version < max_version) {
+                                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
+                                    SSL_R_INAPPROPRIATE_FALLBACK);
+                                if (s->s3 != NULL)
+                                        ssl3_send_alert(s, SSL3_AL_FATAL,
+                                            SSL_AD_INAPPROPRIATE_FALLBACK);
+                                goto err;
+                        }
+                        continue;
+                }
+
                 if ((c = ssl3_get_cipher_by_value(cipher_value)) != NULL) {
                         if (!sk_SSL_CIPHER_push(sk, c)) {
                                 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
@@ -2543,6 +2567,36 @@ SSL_get_version(const SSL *s)
         return ssl_version_string(s->version);
 }
 
+uint16_t
+ssl_max_server_version(SSL *s)
+{
+        uint16_t max_version;
+
+        /*
+         * The SSL method will be changed during version negotiation, as such
+         * we want to use the SSL method from the context.
+         */
+        max_version = s->ctx->method->version;
+
+        if (SSL_IS_DTLS(s))
+                return (DTLS1_VERSION);
+
+        if ((s->options & SSL_OP_NO_TLSv1_2) == 0 &&
+            max_version >= TLS1_2_VERSION)
+                return (TLS1_2_VERSION);
+        if ((s->options & SSL_OP_NO_TLSv1_1) == 0 &&
+            max_version >= TLS1_1_VERSION)
+                return (TLS1_1_VERSION);
+        if ((s->options & SSL_OP_NO_TLSv1) == 0 &&
+            max_version >= TLS1_VERSION)
+                return (TLS1_VERSION);
+        if ((s->options & SSL_OP_NO_SSLv3) == 0 &&
+            max_version >= SSL3_VERSION)
+                return (SSL3_VERSION);
+
+        return (0);
+}
+
 SSL *
 SSL_dup(SSL *s)
 {
diff --git a/src/lib/libssl/src/ssl/ssl_locl.h b/src/lib/libssl/src/ssl/ssl_locl.h
index 3b7694fc94..c38aa3a90d 100644
--- a/src/lib/libssl/src/ssl/ssl_locl.h
+++ b/src/lib/libssl/src/ssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.87 2015/02/12 03:45:25 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.88 2015/02/22 15:54:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -545,6 +545,7 @@ extern SSL_CIPHER ssl3_ciphers[];
 
 SSL_METHOD *ssl_bad_method(int ver);
 const char *ssl_version_string(int ver);
+uint16_t ssl_max_server_version(SSL *s);
 
 extern SSL3_ENC_METHOD TLSv1_enc_data;
 extern SSL3_ENC_METHOD TLSv1_1_enc_data;
diff --git a/src/lib/libssl/src/ssl/t1_enc.c b/src/lib/libssl/src/ssl/t1_enc.c
index f7c4bc8dde..6e069edd4b 100644
--- a/src/lib/libssl/src/ssl/t1_enc.c
+++ b/src/lib/libssl/src/ssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.76 2015/02/07 18:53:55 doug Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.77 2015/02/22 15:54:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1240,6 +1240,8 @@ tls1_alert_code(int code)
                 return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
         case SSL_AD_UNKNOWN_PSK_IDENTITY:
                 return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
+        case SSL_AD_INAPPROPRIATE_FALLBACK:
+                return(TLS1_AD_INAPPROPRIATE_FALLBACK);
         default:
                 return (-1);
         }
diff --git a/src/lib/libssl/src/ssl/tls1.h b/src/lib/libssl/src/ssl/tls1.h
index 6182daa837..3dffb97b5c 100644
--- a/src/lib/libssl/src/ssl/tls1.h
+++ b/src/lib/libssl/src/ssl/tls1.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls1.h,v 1.24 2015/02/12 03:45:25 jsing Exp $ */
+/* $OpenBSD: tls1.h,v 1.25 2015/02/22 15:54:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -187,6 +187,7 @@ extern "C" {
 #define TLS1_AD_PROTOCOL_VERSION        70      /* fatal */
 #define TLS1_AD_INSUFFICIENT_SECURITY   71      /* fatal */
 #define TLS1_AD_INTERNAL_ERROR          80      /* fatal */
+#define TLS1_AD_INAPPROPRIATE_FALLBACK  86      /* fatal */
 #define TLS1_AD_USER_CANCELLED          90
 #define TLS1_AD_NO_RENEGOTIATION        100
 /* Codes 110-114 are from RFC 3546. */
diff --git a/src/lib/libssl/ssl.h b/src/lib/libssl/ssl.h
index 626b967f15..73d007400f 100644
--- a/src/lib/libssl/ssl.h
+++ b/src/lib/libssl/ssl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl.h,v 1.82 2015/02/12 03:45:25 jsing Exp $ */
+/* $OpenBSD: ssl.h,v 1.83 2015/02/22 15:54:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1363,7 +1363,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
 #define SSL_AD_UNRECOGNIZED_NAME        TLS1_AD_UNRECOGNIZED_NAME
 #define SSL_AD_BAD_CERTIFICATE_STATUS_RESPONSE TLS1_AD_BAD_CERTIFICATE_STATUS_RESPONSE
 #define SSL_AD_BAD_CERTIFICATE_HASH_VALUE TLS1_AD_BAD_CERTIFICATE_HASH_VALUE
-#define SSL_AD_UNKNOWN_PSK_IDENTITY     TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
+#define SSL_AD_UNKNOWN_PSK_IDENTITY     TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
+#define SSL_AD_INAPPROPRIATE_FALLBACK   TLS1_AD_INAPPROPRIATE_FALLBACK /* fatal */
 
 #define SSL_ERROR_NONE                  0
 #define SSL_ERROR_SSL                   1
@@ -2174,6 +2175,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_HTTPS_PROXY_REQUEST                        155
 #define SSL_R_HTTP_REQUEST                               156
 #define SSL_R_ILLEGAL_PADDING                            283
+#define SSL_R_INAPPROPRIATE_FALLBACK                     373
 #define SSL_R_INCONSISTENT_COMPRESSION                   340
 #define SSL_R_INVALID_CHALLENGE_LENGTH                   158
 #define SSL_R_INVALID_COMMAND                            280
@@ -2319,6 +2321,7 @@ void ERR_load_SSL_strings(void);
 #define SSL_R_TLSV1_ALERT_DECRYPTION_FAILED              1021
 #define SSL_R_TLSV1_ALERT_DECRYPT_ERROR                  1051
 #define SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION             1060
+#define SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK         1086
 #define SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY          1071
 #define SSL_R_TLSV1_ALERT_INTERNAL_ERROR                 1080
 #define SSL_R_TLSV1_ALERT_NO_RENEGOTIATION               1100
diff --git a/src/lib/libssl/ssl3.h b/src/lib/libssl/ssl3.h
index 644e8df16b..61f600c55d 100644
--- a/src/lib/libssl/ssl3.h
+++ b/src/lib/libssl/ssl3.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl3.h,v 1.35 2015/02/12 03:45:25 jsing Exp $ */
+/* $OpenBSD: ssl3.h,v 1.36 2015/02/22 15:54:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -125,9 +125,12 @@
 extern "C" {
 #endif
 
-/* Signalling cipher suite value: from draft-ietf-tls-renegotiation-03.txt */
+/* TLS_EMPTY_RENEGOTIATION_INFO_SCSV from RFC 5746. */
 #define SSL3_CK_SCSV                            0x030000FF
 
+/* TLS_FALLBACK_SCSV from draft-ietf-tls-downgrade-scsv-03. */
+#define SSL3_CK_FALLBACK_SCSV                   0x03005600
+
 #define SSL3_CK_RSA_NULL_MD5                    0x03000001
 #define SSL3_CK_RSA_NULL_SHA                    0x03000002
 #define SSL3_CK_RSA_RC4_40_MD5                  0x03000003
diff --git a/src/lib/libssl/ssl_err.c b/src/lib/libssl/ssl_err.c
index 891d5216c2..04742b60ca 100644
--- a/src/lib/libssl/ssl_err.c
+++ b/src/lib/libssl/ssl_err.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_err.c,v 1.28 2014/12/14 15:30:50 jsing Exp $ */
+/* $OpenBSD: ssl_err.c,v 1.29 2015/02/22 15:54:27 jsing Exp $ */
 /* ====================================================================
  * Copyright (c) 1999-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -385,6 +385,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {
         {ERR_REASON(SSL_R_HTTPS_PROXY_REQUEST)   , "https proxy request"},
         {ERR_REASON(SSL_R_HTTP_REQUEST)          , "http request"},
         {ERR_REASON(SSL_R_ILLEGAL_PADDING)       , "illegal padding"},
+        {ERR_REASON(SSL_R_INAPPROPRIATE_FALLBACK), "inappropriate fallback"},
         {ERR_REASON(SSL_R_INCONSISTENT_COMPRESSION), "inconsistent compression"},
         {ERR_REASON(SSL_R_INVALID_CHALLENGE_LENGTH), "invalid challenge length"},
         {ERR_REASON(SSL_R_INVALID_COMMAND)       , "invalid command"},
@@ -530,6 +531,7 @@ static ERR_STRING_DATA SSL_str_reasons[]= {
         {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPTION_FAILED), "tlsv1 alert decryption failed"},
         {ERR_REASON(SSL_R_TLSV1_ALERT_DECRYPT_ERROR), "tlsv1 alert decrypt error"},
         {ERR_REASON(SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION), "tlsv1 alert export restriction"},
+        {ERR_REASON(SSL_R_TLSV1_ALERT_INAPPROPRIATE_FALLBACK), "tlsv1 alert inappropriate fallback"},
         {ERR_REASON(SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY), "tlsv1 alert insufficient security"},
         {ERR_REASON(SSL_R_TLSV1_ALERT_INTERNAL_ERROR), "tlsv1 alert internal error"},
         {ERR_REASON(SSL_R_TLSV1_ALERT_NO_RENEGOTIATION), "tlsv1 alert no renegotiation"},
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 58835931d2..d7b5283501 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.100 2015/02/22 15:29:39 jsing Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.101 2015/02/22 15:54:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1419,7 +1419,9 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num,
         const SSL_CIPHER        *c;
         STACK_OF(SSL_CIPHER)    *sk;
         int                      i;
+        unsigned long            cipher_id;
         uint16_t                 cipher_value;
+        uint16_t                 max_version;
 
         if (s->s3)
                 s->s3->send_connection_binding = 0;
@@ -1440,10 +1442,13 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num,
 
         for (i = 0; i < num; i += SSL3_CIPHER_VALUE_SIZE) {
                 n2s(p, cipher_value);
+                cipher_id = SSL3_CK_ID | cipher_value;
 
-                /* Check for SCSV */
-                if (s->s3 && (SSL3_CK_ID | cipher_value) == SSL3_CK_SCSV) {
-                        /* SCSV is fatal if renegotiating. */
+                if (s->s3 != NULL && cipher_id == SSL3_CK_SCSV) {
+                        /*
+                         * TLS_EMPTY_RENEGOTIATION_INFO_SCSV is fatal if
+                         * renegotiating.
+                         */
                         if (s->renegotiate) {
                                 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
                                     SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING);
@@ -1456,6 +1461,25 @@ ssl_bytes_to_cipher_list(SSL *s, unsigned char *p, int num,
                         continue;
                 }
 
+                if (cipher_id == SSL3_CK_FALLBACK_SCSV) {
+                        /*
+                         * TLS_FALLBACK_SCSV indicates that the client
+                         * previously tried a higher protocol version.
+                         * Fail if the current version is an unexpected
+                         * downgrade.
+                         */
+                        max_version = ssl_max_server_version(s);
+                        if (max_version == 0 || s->version < max_version) {
+                                SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
+                                    SSL_R_INAPPROPRIATE_FALLBACK);
+                                if (s->s3 != NULL)
+                                        ssl3_send_alert(s, SSL3_AL_FATAL,
+                                            SSL_AD_INAPPROPRIATE_FALLBACK);
+                                goto err;
+                        }
+                        continue;
+                }
+
                 if ((c = ssl3_get_cipher_by_value(cipher_value)) != NULL) {
                         if (!sk_SSL_CIPHER_push(sk, c)) {
                                 SSLerr(SSL_F_SSL_BYTES_TO_CIPHER_LIST,
@@ -2543,6 +2567,36 @@ SSL_get_version(const SSL *s)
         return ssl_version_string(s->version);
 }
 
+uint16_t
+ssl_max_server_version(SSL *s)
+{
+        uint16_t max_version;
+
+        /*
+         * The SSL method will be changed during version negotiation, as such
+         * we want to use the SSL method from the context.
+         */
+        max_version = s->ctx->method->version;
+
+        if (SSL_IS_DTLS(s))
+                return (DTLS1_VERSION);
+
+        if ((s->options & SSL_OP_NO_TLSv1_2) == 0 &&
+            max_version >= TLS1_2_VERSION)
+                return (TLS1_2_VERSION);
+        if ((s->options & SSL_OP_NO_TLSv1_1) == 0 &&
+            max_version >= TLS1_1_VERSION)
+                return (TLS1_1_VERSION);
+        if ((s->options & SSL_OP_NO_TLSv1) == 0 &&
+            max_version >= TLS1_VERSION)
+                return (TLS1_VERSION);
+        if ((s->options & SSL_OP_NO_SSLv3) == 0 &&
+            max_version >= SSL3_VERSION)
+                return (SSL3_VERSION);
+
+        return (0);
+}
+
 SSL *
 SSL_dup(SSL *s)
 {
diff --git a/src/lib/libssl/ssl_locl.h b/src/lib/libssl/ssl_locl.h
index 3b7694fc94..c38aa3a90d 100644
--- a/src/lib/libssl/ssl_locl.h
+++ b/src/lib/libssl/ssl_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_locl.h,v 1.87 2015/02/12 03:45:25 jsing Exp $ */
+/* $OpenBSD: ssl_locl.h,v 1.88 2015/02/22 15:54:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -545,6 +545,7 @@ extern SSL_CIPHER ssl3_ciphers[];
 
 SSL_METHOD *ssl_bad_method(int ver);
 const char *ssl_version_string(int ver);
+uint16_t ssl_max_server_version(SSL *s);
 
 extern SSL3_ENC_METHOD TLSv1_enc_data;
 extern SSL3_ENC_METHOD TLSv1_1_enc_data;
diff --git a/src/lib/libssl/t1_enc.c b/src/lib/libssl/t1_enc.c
index f7c4bc8dde..6e069edd4b 100644
--- a/src/lib/libssl/t1_enc.c
+++ b/src/lib/libssl/t1_enc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: t1_enc.c,v 1.76 2015/02/07 18:53:55 doug Exp $ */
+/* $OpenBSD: t1_enc.c,v 1.77 2015/02/22 15:54:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -1240,6 +1240,8 @@ tls1_alert_code(int code)
                 return (TLS1_AD_BAD_CERTIFICATE_HASH_VALUE);
         case SSL_AD_UNKNOWN_PSK_IDENTITY:
                 return (TLS1_AD_UNKNOWN_PSK_IDENTITY);
+        case SSL_AD_INAPPROPRIATE_FALLBACK:
+                return(TLS1_AD_INAPPROPRIATE_FALLBACK);
         default:
                 return (-1);
         }
diff --git a/src/lib/libssl/tls1.h b/src/lib/libssl/tls1.h
index 6182daa837..3dffb97b5c 100644
--- a/src/lib/libssl/tls1.h
+++ b/src/lib/libssl/tls1.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls1.h,v 1.24 2015/02/12 03:45:25 jsing Exp $ */
+/* $OpenBSD: tls1.h,v 1.25 2015/02/22 15:54:27 jsing Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -187,6 +187,7 @@ extern "C" {
 #define TLS1_AD_PROTOCOL_VERSION        70      /* fatal */
 #define TLS1_AD_INSUFFICIENT_SECURITY   71      /* fatal */
 #define TLS1_AD_INTERNAL_ERROR          80      /* fatal */
+#define TLS1_AD_INAPPROPRIATE_FALLBACK  86      /* fatal */
 #define TLS1_AD_USER_CANCELLED          90
 #define TLS1_AD_NO_RENEGOTIATION        100
 /* Codes 110-114 are from RFC 3546. */