[Help needed] Are we ignoring TLS_EMPTY_RENEGOTIATION_INFO_SCSV intentionally?

[StarlightIbuki]

I tried calling SSL_client_hello_get0_ciphers(), and it returned a different list of ciphers than SSL_get_client_ciphers.
This module ignores TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0xff or 0x0) by calling SSL_get_client_ciphers().
Is this intended or not? Should we ignore invalid ciphers?

[secmobi]

Besides of confirming this issue, I also observed that, in the JA4 plugin for Wireshark that developed by the same author, TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff) would be included into the cipher list. As a result, this nignx module and Wireshark will produce different JA4 values for the same TLS session.

RFC 5746 and 7507 defined two Signalling Cipher-Suite Values (SCSVs), and openssl implemented them accordingly:

• TLS_EMPTY_RENEGOTIATION_INFO_SCSV (0x00ff)
• TLS_FALLBACK_SCSV (0x5600)

However, in the JA4 Technical Details doc, regarding cipher suites, it only mentioned that GREASE values should be ignored. There's no detail about whether these two SCSVs should be included or skipped.

@john-althouse could you help to clarify the expected behavior on those SCSVs? I feel this is quite important as your code have showed different implementations. After that being well defined, I can probably make a PR to either this repo or to Wireshark repo aligning them. Thanks!