Eric Rescorla wrote: > > That is what the document says: > "Versions of TLS before 1.3 supported compression and the list of > compression methods was supplied in this field. For any TLS 1.3 > ClientHello, this field MUST contain only the ?null? compression method > with the code point of 0. If a TLS 1.3 ClientHello is received with any > other value in this field, the server MUST generate a fatal > ?illegal_parameter? alert. Note that TLS 1.3 servers may receive TLS 1.2 or > prior ClientHellos which contain other compression methods and MUST follow > the procedures for the appropriate prior version of TLS."
The quoted wording calls for a fatal handshake failure when ClientHello offers TLSv1.2+compression _or_ TLSv1.3 while at the same time the last requirement asserts that a ClientHello with TLSv1.2+compression is perfectly OK. To me, this looks quite odd. If you want compression removed from TLSv1.3, how about something like this: "Versions of TLS before 1.3 supported compression and the list of compression methods was supplied in this field. All TLS protocol versions require the "null" compression method MUST be included/present in the compression_methods list of ClientHello. A TLSv1.3 server that is offered and selects/negotiates protocol version TLSv1.3, MUST select the "null" compression method, and MUST ignore all other compression methods that might appear in the compression_methods list of ClientHello. Btw. for the last requirement, I would appreciate an additional recommendation for a configuration option to disable compression, maybe something like This document does not impose restrictions on the use of compression with TLS protocol versions prior to TLSv1.3. However, it is RECOMMENDED that implementations which support compression provide a configuration option allowing consumers to disable the use of compression in TLS. -Martin _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls