On Mon, Oct 31, 2016 at 06:43:52PM +0000, Matt Caswell wrote: > A few supported_versions questions: > > 1) What should a server do if supported_versions is received but > ClientHello.legacy_version != TLS1.2? Fail the handshake, or just > ignore legacy_version?
If legacy_version > TLS1.2, the spec requires server to ignore legacy_version. The case where legacy_version < TLS1.2 IIRC isn't specified, but ignoring legacy_version is reasonable in this case too. > 2) What should a server do if supported_versions is received, > ClientHello.legacy_version == TLS1.2, but supported_versions does not > contain TLS1.3 or TLS1.2 (e.g. it contains TLS1.1 or below)? Fail the > handshake, use the legacy_version, or use use the versions in > supported_versions? There's also the case where supported_versions has TLS 1.1 and TLS 1.4, the latter the server has never heard about... > 3) If the answer to (2) above is ignore the legacy_version, and just > use the versions in supported_versions, which client_version should be > used in the RSA pre-master secret calculation? The one in > legacy_version, or the highest one in supported_versions? Presumably > it has to be the one in legacy_version, otherwise thing will fail when > the client talks to a server that doesn't understand > supported_versions? Yeah, I presume putting the version in legacy_version is the only sane thing to do. But causes other problems with downgrade protection. OTOH, RSA key exchange is known to be very broken and is affected by all kinds of downgrade (and other) attacks. So if one wants actual security, it needs to be removed. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
