-- -Todd Short // tsh...@akamai.com // "One if by land, two if by sea, three if by the Internet."
> On Aug 9, 2018, at 12:11 PM, Hubert Kario <hka...@redhat.com> wrote: > > On Thursday, 9 August 2018 16:09:02 CEST Short, Todd wrote: >>> On Aug 9, 2018, at 9:02 AM, Matt Caswell <m...@openssl.org> wrote: >>> >>> >>> That's not the way I read it. If a server is configured to use TLSv1.1 >>> then its not a TLSv1.3 server and this text doesn't apply (regardless of >>> whether the binary could do TLSv1.3 if it was configured differently). >>> >>> Matt >>> >> >> >> Agreed. >> >> If a TLS 1.2 (capable) server is negotiating TLS 1.1 with a TLS 1.2 client, >> then it can’t be considered a TLS 1.2 server, otherwise, it would negotiate >> TLS 1.2. > >> It must be considered a TLS 1.1 server, since that is the maximum version it >> is configured to support. > > actually, no, if it has both TLS 1.2 and TLS 1.1 enabled, then it is a TLS 1.2 > server, so receiving a TLS 1.1 ClientHello with FALLBACK_SCSV MUST fail with > inappropriate_fallback > > if it is has TLS 1.1 enabled, and nothing else, *then* it is TLS 1.1 server, > and receiving a TLS 1.1 ClientHello with FALLBACK_SCSV SHOULD NOT fail (it may > fail because of ciphersuite mismatch, but it MUST NOT fail because of the the > FALLBACK_SCSV being present) ^^^^^^^^^^^^^^^^^^^^^ This is the situation I am referring to TLS 1.1 only (even if it has disabled TLS 1.2 code). If TLS 1.2 were enabled in the above scenario, then TLS 1.2 would be negotiated with the TLS 1.2 client. I explicitly stated "since that [TLS 1.1] is the maximum version it is configured to support". > > situation with TLS 1.3, TLS 1.2 and downgrade protection from Section 4.1.3 > (bottom of page 37 onwards: > https://tools.ietf.org/html/draft-ietf-tls-tls13-28#page-37) is exactly the > same – it does not matter what is _implemented_ it matters what is _enabled_ > > -- > Regards, > Hubert Kario > Senior Quality Engineer, QE BaseOS Security team > Web: www.cz.redhat.com > Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
