On Sun, Mar 20, 2016 at 4:09 AM, Ilari Liusvaara <ilariliusva...@welho.com> wrote: > > [1] TLS 1.3 doesn't completely fix this: Even if TLS 1.3 itself has > negotiated DHE parameter sizes, there is nothing preventing down- > negotiation to TLS 1.2, followed by server dumping some bad para- > meter sizes (forcing client to either break connection or being vuln- > erable to downgrade attacks). >
The ServerRandom anti-downgrade mechanism should prevent this downgrade from 1.3 to 1.2 even in this setting. -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
