I've been looking through this in a bit more detail and have found some pretty problematic text in there...
If a compatible TLS server receives a Supported Groups extension from a client that includes any FFDHE group (i.e., any codepoint between 256 and 511, inclusive, even if unknown to the server), and if none of the client-proposed FFDHE groups are known and acceptable to the server, then the server MUST NOT select an FFDHE cipher suite. In this case, the server SHOULD select an acceptable non-FFDHE cipher suite from the client's offered list. As far as I can see what this text is saying is that if the client can't guess in advance which PFS suite/group the server knows about, the server must disable use of PFS. In other words instead of saying "give me a PFS suite, preferably with this group", it's saying "give me a PFS suite with exactly this group and if you can't do that, don't do PFS". This seems like a pretty awful way to handle things. This is reinforced by: A compatible TLS server that receives the Supported Groups extension with FFDHE codepoints in it and that selects an FFDHE cipher suite MUST select one of the client's offered groups. In my mind this makes the FFDHE extension so toxic to use that I'd rather not support it at all, because it disables PFS unless you're really lucky in guessing what the server can do. Either that or it'll be like certain parts of TLS 1.2 where everyone knows that you need to ignore what the spec says in order for things to work... Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
