Hello,
On 21/04/2026 11:51, youssef hamdi wrote:
Mean TTE: 0.022s | CWE-757 | CVSS 8.1
THE CORE ISSUE
──────────────
RFC 8446 does not mandate that a server REJECT a ClientHello
offering only classical groups when the server's policy requires
hybrid KEM. Server-side enforcement is currently optional. This
means deployments advertising post-quantum protection — including
those migrating under NIST PQC standards — can be silently
downgraded to classical-only sessions with no client-visible error
It seems the vulnerability describes intended behaviour. As per RFC8446,
section 4.1.1.
If the server selects an (EC)DHE group and the client did not offer a
compatible "key_share" extension in the initial ClientHello, the
server MUST respond with a HelloRetryRequest (Section 4.1.4
<https://datatracker.ietf.org/doc/html/rfc8446#section-4.1.4>) message.
[...]
If the server is unable to negotiate a supported set of parameters
(i.e., there is no overlap between the client and server parameters),
it MUST abort the handshake with either a "handshake_failure" or
"insufficient_security" fatal alert (seeSection 6
<https://datatracker.ietf.org/doc/html/rfc8446#section-6>).
It seems this case is already covered.
Kind regards,
Kris
_______________________________________________
TLS mailing list -- [email protected]
To unsubscribe send an email to [email protected]
