Hi, Per the latest draft of TLS 1.3, both "supported_groups" and "key_share" extensions are REQUIRED for DHE or ECDHE cipher suites (Section 8.2). Both extension need to provide the supported named groups in preference order. Looks like the functions are overlapped. I was wondering, it may be nice to obsolete the "supported_groups" extension, and use "key_share" extension for both the supported named groups and the key exchange information for each group.
For the "supported_groups" extension, the description is (Section 6.3.2.2): --------------- Clients which offer one or more (EC)DHE cipher suites MUST send at least one supported NamedGroup value and servers MUST NOT negotiate any of these cipher suites unless a supported value was provided. If this extension is not provided and no alternative cipher suite is available, the server MUST close the connection with a fatal "missing_extension" alert. (see Section 8.2) If the extension is provided, but no compatible group is offered, the server MUST NOT negotiate a cipher suite of the relevant type. For instance, if a client supplies only ECDHE groups, the server MUST NOT negotiate finite field Diffie-Hellman. If no acceptable group can be selected across all cipher suites, then the server MUST generate a fatal "handshake_failure" alert. --------------- For the "key_share" extension, the description is (Section 6.3.2.3): --------------- Clients which offer one or more (EC)DHE cipher suites MUST send at least one supported KeyShare value and servers MUST NOT negotiate any of these cipher suites unless a supported value was provided. If this extension is not provided in a ServerHello or retried ClientHello, and the peer is offering (EC)DHE cipher suites, then the endpoint MUST close the connection with a fatal "missing_extension" alert. --------------- The "supported_groups" extension defines the groups, while the "key_share" extension defines both the groups and the key exchange information. Both extension has its own preferences for the supported named groups. It's easy to get conflicted if the two preferences are not consistent. The "key_share" extension contains the information of the supported named groups. So, the information can be used to indicate the client supported named groups. Maybe, for TLS 1.3, it is not necessary to use the "supported_groups" extension any more. Cheers, Xuelei
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
