Eric Rescorla wrote:
>
> That is what the document says:
> "Versions of TLS before 1.3 supported compression and the list of
> compression methods was supplied in this field. For any TLS 1.3
> ClientHello, this field MUST contain only the ?null? compression method
> with the code point of 0. If a TLS 1.3 ClientHello is received with any
> other value in this field, the server MUST generate a fatal
> ?illegal_parameter? alert. Note that TLS 1.3 servers may receive TLS 1.2 or
> prior ClientHellos which contain other compression methods and MUST follow
> the procedures for the appropriate prior version of TLS."
The quoted wording calls for a fatal handshake failure when ClientHello
offers
TLSv1.2+compression _or_ TLSv1.3
while at the same time the last requirement asserts that a ClientHello with
TLSv1.2+compression
is perfectly OK. To me, this looks quite odd.
If you want compression removed from TLSv1.3, how about something like this:
"Versions of TLS before 1.3 supported compression and the list of
compression methods was supplied in this field.
All TLS protocol
versions require the "null" compression method MUST be included/present
in the compression_methods list of ClientHello. A TLSv1.3 server that
is offered and selects/negotiates protocol version TLSv1.3, MUST select
the "null" compression method, and MUST ignore all other compression
methods that might appear in the compression_methods list of ClientHello.
Btw. for the last requirement, I would appreciate an additional recommendation
for a configuration option to disable compression, maybe something like
This document does not impose restrictions on the use of compression
with TLS protocol versions prior to TLSv1.3. However, it is RECOMMENDED
that implementations which support compression provide a configuration
option allowing consumers to disable the use of compression in TLS.
-Martin
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
