On Wed, 5 Jun 2024 at 14:24, Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote:
> Martin Thomson <m...@lowentropy.net> writes: > > >Are you saying that there are TLS 1.3 implementations out there that don't > >send HRR when they should? > > There are embedded TLS 1.3 implementations [*] that, presumably for space/ > complexity reasons and possibly also for attack surface reduction, only > support the MTI algorithms (AES, SHA-2, P256) and don't do HRR. > > We found this out because of Google's noncompliant implementation in > Chrome. > In the presence of compliant implementations that do the MTI algorithms in > the > client hello, you don't need HRR > That is not a correct interpretation, in my opinion. Offering a key_share for every MTI key exchange is not required, because: > Clients MAY send an empty client_shares vector in order to request > group selection from the server, at the cost of an additional round > trip This clause requires HRR support from all peers. Cheers, Joe
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org