> Won't a downgrade be detected by the client when it fails to decrypt > the server's data?
The main downgrade concern, I think, is for the 0.5-RTT data’s confidentiality; i.e. it may have been sent encrypted under a broken cipher. You’re right that the client will not accept this data because the handshake hashes (mixed into the key) would not match. _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
