Peter Gutmann <pgut...@cs.auckland.ac.nz> writes: > Viktor Dukhovni <ietf-d...@dukhovni.org> writes: > > >There's no guess, the client sends its full list of supported > >groups, and the server picks the one it likes. > > ... and if the client doesn't get it exactly right, the server has to fall > back to RSA rather than use another DHE suite of its choosing.
I believe that's the intention; the assumption is that the client using this extension doesn't want DHE parameters that it doesn't have configured, it only wants one of a pre-validated list of groups/generators. It especially doesn't want the server to say "well, I know the client listed only groups 2048-bit and higher, but I have this 512-bit group, let's use that". _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
