Thanks, Martin. This is correct.
So there are two ways to fix this:
As Martin suggests, make TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA one of the MTI
instead of the current, or
Add 0xC0,0x23 (TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256) to the list of
ciphersuites.
The first seems more consistent to
I just noticed a strange inconsistency in section 6 of
draft-ietf-tls-rfc4492bis-17
https://tools.ietf.org/html/draft-ietf-tls-rfc4492bis-17#section-6
The last of the "must implement 1 of these 4" list of cipher suites at
the end of section 6 is not contained in the table at the beginning of
