Hello all, I have a confusion about this specification, and I did a search of the mail archives, it seems not mentioned before :
rfc5246 7.4.1.3. Server Hello cipher_suite For resumed sessions, this field is the value from the state of the session being resumed. There is not a 'MUST' to strict the server that cannot pick up a different cipher. Even we all know the resume must be failed. So it's a little tricky if a server implementation does wrong but not explicitly against this RFC. And refering rfc 2119 6. Guidance in the use of these Imperatives In particular, they MUST only be used where it is actually required for interoperation or to limit behavior which has potential for causing harm (e.g., limiting retransmisssions) eg. If the server does pick up a different cipher in server hello, it indeed cause a renegotiation instead of a successfuly resume. So is that possible to make this specification more strict with a 'MUST'? "For resumed sessions, this field s/is/MUST/ the value from the state of the session being resumed." Thank you! BR Rik _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
