[changed subject to reflect forking of thread] On Thu, Aug 09, 2018 at 08:07:26AM +0000, Peter Gutmann wrote: > Eric Rescorla <e...@rtfm.com> writes: > > >The spec is actually extremely clear on this point > >https://tools.ietf.org/html/draft-ietf-tls-tls13-28#section-4.1.3 > > I hadn't looked at this bit too closely before, but since it says: > > If negotiating TLS 1.1 or below, TLS 1.3 servers MUST and TLS 1.2 > servers SHOULD set the last eight bytes of their Random value ... > > [second value] > > [...] > > TLS 1.2 clients SHOULD also check that the last eight bytes > are not equal to the second value if the ServerHello indicates TLS > 1.1 or below. If a match is found, the client MUST abort the > handshake > > Doesn't this mean that no-one can ever use TLS 1.1 or below any more? The > server has to set its Random signalling bytes to X if it wants TLS 1.1 or > below, and then the client has to abort the handshake if it finds those bytes.
Well, what do you mean by "no one"? A TLS 1.1-only implementation will happily negotiate 1.1 and take no special action on the signalling random value. A 1.2-capable implementation that is configured to only offer 1.1 should be able to behave similarly. -Ben _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls