On Mon, Jul 24, 2017 at 01:48:13PM +0000, Raja ashok wrote: > Hi Nir, Josefsson & Pegourie, > > As per section 5.2 server should send only "Supported Point Format" > extensions in server hello message. And it doesn't require to send > "Supported Elliptic Curve" extensions. Because of this if server is > supporting only few Curves and if it receives unsupported Elliptic > curve in client certificate message, then server might not be able > to continue the handshake.
In TLS 1.2, the client sends the list of curves (and other groups and DHFs) it supports. The server picks one if it can. Thus if there is at least one common curve that both client and server support, then the group selection will succeed (if there is none, then no matter what one does things won't work). The actual curve server selected is transmitted in ServerKeyExchange message. In TLS 1.3, things get bit more complicated, since client can signal it supports a group without sending a share for it (if server selects such group, it needs to tell the client to retry using HelloRetryRequest message). The server group selection is in KeyShare extension in ServerHello message. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
