RFC 5246 has the following in section 7.4.7.1 (RSA-Encrypted Premaster Secret):
client_version
The latest (newest) version supported by the client. This is
used to detect version rollback attacks.
The TLS 1.3 draft specification has the following in section 1.4 (Updates
Affecting TLS 1.2)
The “supported_versions” ClientHello extension can be used to negotiate the
version of TLS to use, in preference to the legacy_version field of the
ClientHello.
I would appreciate some clarification regarding the value of "client_version"
in a ClientKeyExchange if:
- ClientHello.legacy_version = TLS 1.2, and
- ClientHello.supported_versions extension has TLS 1.3, and
- TLS 1.2 is negotiated (either because the server does not support TLS 1.3, or
because the TLS 1.3-capable server is configured to respond with TLS 1.2 for
some reason)
My assumption is that ClientHello.legacy_version should be used because the
client would not know whether the server ignored the supported_versions
extension - is that correct?
--Roelof
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
