On Wed, Jun 5, 2024 at 6:25 AM Peter Gutmann <pgut...@cs.auckland.ac.nz> wrote:
> Martin Thomson <m...@lowentropy.net> writes: > > >Are you saying that there are TLS 1.3 implementations out there that don't > >send HRR when they should? > > There are embedded TLS 1.3 implementations [*] that, presumably for space/ > complexity reasons and possibly also for attack surface reduction, only > support the MTI algorithms (AES, SHA-2, P256) and don't do HRR. > Those implementations are not compliant with RFC 8446. Section 4.1.1 requires that a server respond with HRR if it selects an (EC)DHE group and the client didn't offer a compatible key_share in the initial ClientHello. (Likewise, section 4.1.3 requires that clients support HRR.)
_______________________________________________ TLS mailing list -- tls@ietf.org To unsubscribe send an email to tls-le...@ietf.org
