On Thu, Aug 9, 2018 at 1:07 AM, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote:
> Eric Rescorla <e...@rtfm.com> writes: > > >The spec is actually extremely clear on this point > >https://tools.ietf.org/html/draft-ietf-tls-tls13-28#section-4.1.3 > > I hadn't looked at this bit too closely before, but since it says: > > If negotiating TLS 1.1 or below, TLS 1.3 servers MUST and TLS 1.2 > servers SHOULD set the last eight bytes of their Random value ... > > [second value] > > [...] > > TLS 1.2 clients SHOULD also check that the last eight bytes > are not equal to the second value if the ServerHello indicates TLS > 1.1 or below. If a match is found, the client MUST abort the > handshake > > Doesn't this mean that no-one can ever use TLS 1.1 or below any more? The > server has to set its Random signalling bytes to X if it wants TLS 1.1 or > below, and then the client has to abort the handshake if it finds those > bytes. > I don't believe so, no. The server MUST set these bytes if it supports > TLS 1.1 and the client MUST check them if it gets TLS 1.1 and it wants > TLS 1.1. So if the server wants TLS 1.1, then it doesn't set the bytes. If the client wants TLS 1.1, it doesn't check them. In either case, the handshake succeeds. -Ekr > Peter. >
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
