Eric Rescorla <e...@rtfm.com> writes: >The spec is actually extremely clear on this point >https://tools.ietf.org/html/draft-ietf-tls-tls13-28#section-4.1.3
I hadn't looked at this bit too closely before, but since it says: If negotiating TLS 1.1 or below, TLS 1.3 servers MUST and TLS 1.2 servers SHOULD set the last eight bytes of their Random value ... [second value] [...] TLS 1.2 clients SHOULD also check that the last eight bytes are not equal to the second value if the ServerHello indicates TLS 1.1 or below. If a match is found, the client MUST abort the handshake Doesn't this mean that no-one can ever use TLS 1.1 or below any more? The server has to set its Random signalling bytes to X if it wants TLS 1.1 or below, and then the client has to abort the handshake if it finds those bytes. Peter. _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
