On Wed, Aug 8, 2018 at 7:11 AM, Matt Caswell <m...@openssl.org> wrote:
> > > On 08/08/18 15:06, Eric Rescorla wrote: > > The spec is actually extremely clear on this point > > https://tools.ietf.org/html/draft-ietf-tls-tls13-28#section-4.1.3 > > <https://tools.ietf.org/html/draft-ietf-tls-tls13-28#section-4.1.3> > > > > TLS 1.3 clients receiving a ServerHello indicating TLS 1.2 or below > > MUST check that the last 8 bytes are not equal to either of these > > values. TLS 1.2 clients SHOULD also check that the last 8 bytes are > > not equal to the second value if the ServerHello indicates TLS 1.1 or > > below. If a match is found, the client MUST abort the handshake with > > an "illegal_parameter" alert. > > In this case the client is acting as a TLS 1.2 client so I don't think > that this paragraph applies. > Well, not quite. It's a TLS 1.3 implementation that has sent a TLS 1.2 CH, but that looks the same to the server as an active downgrade. This text was is in fact intended to cover this case -- and that's how NSS interprets it -- though perhaps it's not as explicit as one would like. Regardless, I think illegal_parameter is a reasonable alert to send, especially as sending a separate alert in the case of fallback and of active downgrade is a pain. -Ekr > Matt > >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
