On 22 May 2017 at 21:18, Roelof Du Toit <roelof_dut...@symantec.com> wrote: > RFC 5246 has the following in section 7.4.7.1 (RSA-Encrypted Premaster > Secret): > > > > client_version > > The latest (newest) version supported by the client. This is > > used to detect version rollback attacks. > > > > The TLS 1.3 draft specification has the following in section 1.4 (Updates > Affecting TLS 1.2) > > > > The “supported_versions” ClientHello extension can be used to negotiate > the version of TLS to use, in preference to the legacy_version field of the > ClientHello. > > > > > > I would appreciate some clarification regarding the value of > "client_version" in a ClientKeyExchange if: > > - ClientHello.legacy_version = TLS 1.2, and > > - ClientHello.supported_versions extension has TLS 1.3, and > > - TLS 1.2 is negotiated (either because the server does not support TLS 1.3, > or because the TLS 1.3-capable server is configured to respond with TLS 1.2 > for some reason) > > > > My assumption is that ClientHello.legacy_version should be used because the > client would not know whether the server ignored the supported_versions > extension - is that correct?
That is the interpretation that OpenSSL takes - and I believe that is true for other implementations as well. Matt _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
