Issue#1: Section "4.1.3 Server Hello" currently states: extensions A list of extensions. The ServerHello MUST only include extensions which are required to establish the cryptographic context. Currently the only such extensions are “key_share” and “pre_shared_key”. All current TLS 1.3 ServerHello messages will contain one of these two extensions, or both when using a PSK with (EC)DHE key establishment. The remaining extensions are sent separately in the EncryptedExtensions message.
"supported_versions" should be added to the list of required extensions for a session that negotiates TLS 1.3. Issue#2: Section "4.1.4 Hello Retry Request" currently states: Upon receiving the ServerHello, clients MUST check that the cipher suite supplied in the ServerHello is the same as that in the HelloRetryRequest and otherwise abort the handshake with an “illegal_parameter” alert. There is no rule about checking that SH.supported_versions.selected_version matches HRR.supported_versions.selected_version. I am currently adding draft 23 support, and want to enforce that rule to make sure the protocol state machine does not have to jump back and forth between TLS 1.2 and TLS 1.3. I can add a PR for both issues, if you agree. --Roelof
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls