On 08/08/18 15:21, Eric Rescorla wrote: > > > On Wed, Aug 8, 2018 at 7:11 AM, Matt Caswell <m...@openssl.org > <mailto:m...@openssl.org>> wrote: > > > > On 08/08/18 15:06, Eric Rescorla wrote: > > The spec is actually extremely clear on this point > > https://tools.ietf.org/html/draft-ietf-tls-tls13-28#section-4.1.3 > <https://tools.ietf.org/html/draft-ietf-tls-tls13-28#section-4.1.3> > > <https://tools.ietf.org/html/draft-ietf-tls-tls13-28#section-4.1.3 > <https://tools.ietf.org/html/draft-ietf-tls-tls13-28#section-4.1.3>> > > > > TLS 1.3 clients receiving a ServerHello indicating TLS 1.2 or below > > MUST check that the last 8 bytes are not equal to either of these > > values. TLS 1.2 clients SHOULD also check that the last 8 bytes are > > not equal to the second value if the ServerHello indicates TLS 1.1 or > > below. If a match is found, the client MUST abort the handshake with > > an "illegal_parameter" alert. > > In this case the client is acting as a TLS 1.2 client so I don't think > that this paragraph applies. > > > Well, not quite. It's a TLS 1.3 implementation that has sent a TLS 1.2 > CH, but that looks the same to the server as an active downgrade. This > text was is in fact intended to cover this case -- and that's how NSS > interprets it -- though perhaps it's not as explicit as one would like.
Fair enough if that was the intention at the time. It's not clear to me from the text - but ok. I do think inappropriate_fallback would have been a better choice for this scenario - but I realise I'm raising this at the last possible moment! Matt _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
