Martin Thomson <m...@lowentropy.net> writes:
>Are you saying that there are TLS 1.3 implementations out there that don't
>send HRR when they should?
There are embedded TLS 1.3 implementations [*] that, presumably for space/
complexity reasons and possibly also for attack surface reduction, only
support the MTI algorithms (AES, SHA-2, P256) and don't do HRR.
We found this out because of Google's noncompliant implementation in Chrome.
In the presence of compliant implementations that do the MTI algorithms in the
client hello, you don't need HRR.
Peter.
[*] OK, not very many since they're mostly still TLS 1.2, but there are a
small number.
_______________________________________________
TLS mailing list -- tls@ietf.org
To unsubscribe send an email to tls-le...@ietf.org
