On Wed, Jun 5, 2024 at 6:24 AM Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote: > > Martin Thomson <m...@lowentropy.net> writes: > > >Are you saying that there are TLS 1.3 implementations out there that don't > >send HRR when they should? > > There are embedded TLS 1.3 implementations [*] that, presumably for space/ > complexity reasons and possibly also for attack surface reduction, only > support the MTI algorithms (AES, SHA-2, P256) and don't do HRR. > > We found this out because of Google's noncompliant implementation in Chrome. > In the presence of compliant implementations that do the MTI algorithms in the > client hello, you don't need HRR.
What wording makes you think you need the MTI algorithms in the client hello? I certainly don't read it that way. > > Peter. > > [*] OK, not very many since they're mostly still TLS 1.2, but there are a > small number. > _______________________________________________ > TLS mailing list -- tls@ietf.org > To unsubscribe send an email to tls-le...@ietf.org -- Astra mortemque praestare gradatim _______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
