Eric Rescorla wrote: > Dave Garrett <davemgarr...@gmail.com> wrote: > >> On Wednesday, October 21, 2015 07:56:13 pm Eric Rescorla wrote: >>> https://github.com/tlswg/tls13-spec/issues/292 >>> >>> Presently, RFC 4492 only specifies the EC points it can support in >>> ServerHello, but does not let the server indicate which EC curves it >>> supports. Unless I'm missing something, this means that there's >>> no way for the server to indicate what groups it would support. >>> >>> That seems less than ideal. There seem like three options here: >>> >>> 1. Put it in CertificateRequest >>> 2. Send it in ServerHello >>> 3. Do nothing. >> >> I prefer #2. I don't think encryption is necessarily required for this, >> but EncryptedExtensions is fine too (Martin's 2b). >> >> I'm generally against putting it in CertificateRequest, as we're reusing >> an existing hello extension so keeping it in a hello message (or it's >> trailing encrypted field) seems best. (restricted to TLS 1.3+ clients, >> though) > > > This would need to be limited to 1.3 in any case because in all the other > cases it would be illegal.
Why do you believe that it would be "illegal" for a TLSv1.[012] server to return a "Supported Elliptic Curves" TLS extension in ServerHello in response to the presence of such a TLS extension in ClientHello? rfc4492 does not define semantics for the presence of "Supported Elliptic Curves" TLS extension in ServerHello, but on a quick read, it also does not prohibit including/sending it. https://tools.ietf.org/html/rfc4492#section-5.2 -Martin _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
