On Wed, Oct 7, 2015 at 11:11 PM, Martin Rex <m...@sap.com> wrote: > Eric Rescorla wrote: > > Martin Rex <m...@sap.com> wrote: > >> Eric Rescorla wrote: > >>> > >>> That is what the document says: > >>> "Versions of TLS before 1.3 supported compression and the list of > >>> compression methods was supplied in this field. For any TLS 1.3 > >>> ClientHello, this field MUST contain only the ?null? compression method > >>> with the code point of 0. If a TLS 1.3 ClientHello is received with any > >>> other value in this field, the server MUST generate a fatal > >>> ?illegal_parameter? alert. Note that TLS 1.3 servers may receive TLS > 1.2 > >>> or prior ClientHellos which contain other compression methods and MUST > >>> follow the procedures for the appropriate prior version of TLS." > >> > >> The quoted wording calls for a fatal handshake failure when ClientHello > >> offers > >> > >> TLSv1.2+compression _or_ TLSv1.3 > >> > >> while at the same time the last requirement asserts that a ClientHello > with > >> > >> TLSv1.2+compression > >> > >> is perfectly OK. To me, this looks quite odd. > > > > That's not how I read this text. > > > > Rather, I read it as: > > If ClientHelloVersion >= TLS 1.3 > > then the compression field must be empty > > else: > > the compression field is dictated by other versions > > > > This doesn't seem inconsistent to me. If you still think that the > paragraph > > reads differently, can you help me by diagramming it? > > What you describe would be considerable worse that what I understood, > because it would mean that a TLSv1.3 ClientHello will be unconditionally > invalid for a TLSv1.2 server. > > https://tools.ietf.org/html/rfc5246#page-42 > > compression_methods > This is a list of the compression methods supported by the client, > sorted by client preference. If the session_id field is not empty > (implying a session resumption request), it MUST include the > > Dierks & Rescorla Standards Track [Page 41] > > RFC 5246 TLS August 2008 > > *> compression_method from that session. This vector MUST contain, > *> and all implementations MUST support, CompressionMethod.null. > Thus, a client and server will always be able to agree on a > compression method.
Sorry, I spoke carelessly. It must contain solely the null method. -Ekr
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls