On Tue, Jan 12, 2016 at 09:41:26AM -0800, Eric Rescorla wrote: > On Tue, Jan 12, 2016 at 9:17 AM, Ilari Liusvaara <ilariliusva...@welho.com> > wrote: > > > > DHE has serious problems. While the present TLS 1.3 way of doing DHE > > isn't totally horrible, advertise DHE and you can get downnegotiation to > > TLS 1.2 DHE, and now you are screwed. > > > > Nit: this shouldn't be possible with the anti-downgrade mechanism that was > introduced > in draft-11 because the server's signature will cover the random value. If > you area > aware of an issue here, I would appreciate more information.
Won't help here, since the server just doesn't support TLS 1.3. The issue isn't that TLS 1.2 was negotiated, it is that the client is now faced with old-style DHE. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
