On 10/2/20 14:15, I wrote:
The server also needs to know the entire HelloRetryRequest message since this goes into the Transcript Hash calculation:Transcript-Hash(ClientHello1, HelloRetryRequest, ... Mn) = Hash(message_hash || /* Handshake type */ 00 00 Hash.length || /* Handshake message length (bytes) */ Hash(ClientHello1) || /* Hash of ClientHello1 */ HelloRetryRequest || ... || Mn)
Please don't tell me all the current TLS 1.3 implementations forgot to include the HelloRetryRequest in the transcript hash. Mike _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
