I am looking at the specification of the key share extension, section 6.3.2.3 of the 1.3 draft. I think that the behavior is somewhat underspecified. The spec says:
...Clients MAY omit this extension from the ClientHello, and in response to this, servers MUST send a HelloRetryRequest requesting use of one of the groups the client offered support for in its "supported_groups" extension. If no common supported group is available, the server MUST produce a fatal "handshake_failure" alert. I am concerned with the hypothetical case in which the client sends a list of groups in the "named group" extension but only sends keys for a subset of these groups in the "key share" extension. For example, a client might propose secp256r1 and secp384r1 in the named group extension, leading the server to select secp256r1, but only provide a key for secp384r1 in the key share extension. The server has two options: * produce a fatal handshake failure alert, because no common supported group is available, * or, send a HelloRetryRequest requesting use of one of the groups the client offered support for, secp256r1 in the example. Which is the correct interpretation? Is one of these behaviors preferred, or are both available? Also, what is supposed to happen if the client sends an empty Key Share extension? Or, if its listed key share extensions list keys for groups that are not indicated in the "named group" extension? -- Christian Huitema _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
