Hello, Draft 22 says:
An implementation may receive an unencrypted record of type change_cipher_spec consisting of the single byte value 0x01 at any time during the handshake and MUST simply drop it without further processing. That requirement is hard to meet in a library that implements both TLS1.2 and TLS1.3 -- a CCS prior to ServerHello would have to be both fatally rejected (TLS1.2) and dropped without further processing (TLS1.3). Are there any problems with tightening up "at any time during the handshake"? Or perhaps I should be interpreting the time prior to ServerHello as not being "during the handshake"? -- There's inconsistency in whether the supported_versions extension is allowed in HelloRetryRequest. 4.2.1 and B.3.1.1 say no, but 4.1.4, 4.2 and 9.2 say yes. I'll assume that's an omission and submit a PR. Cheers, Joe _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
