One way HRR is used is in case the client's and server's cipher suite > preferences don't intersect. This feature is an essential part of TLS, as > there's no a priori reason why the client and server will initially > advertise overlapping preferences. (They usually do, hence the claim that > HRR is rare.) I don't think aborting the handshake instead of HRR is an > acceptable solution, as this would mean there are deployments with which > TLS couldn't be used. >
Slight refinement: David B. pointed out to me that "cipher suite preference" isn't quite the right term here. The client provides key shares in its CH that it guesses the server can use; if it's wrong, then the server replies with HRR. A more accurate statement would be that "HRR is essential for ensuring the client sends a key share the server supports."
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
