Hubert Kario <hka...@redhat.com> wrote: > Currently the description of the extension states that only TLS versions > can > be listed in the extension and all unknown versions must be ignored. > > I wonder if making it explicit that {3, 0} and any lower values MUST NOT be > advertised wouldn't be a good idea, if only to hammer it that SSL3 must > not be > used. >
AFAICT, there's no need to list any version in that extension lower than TLS 1.2, and maybe not even TLS 1.2. If the server understand the extension then it is (almost?) definitely a TLS 1.3+ implementation, so it should choose TLS 1.3 or later. If the server doesn't understand the extension then it will use the ClientHello.legacy_version field for version negotiation. Therefore, I suggest the following change: OLD: "Implementations of this specification MUST send this extension containing all versions of TLS which they are prepared to negotiate. For this specification, that means minimally {3, 4}, but if previous versions of TLS are supported, they MUST be present as well." NEW: "Implementations of this specification MUST send this extension containing all versions of TLS from TLS 1.3 onwards (only) which they are prepared to negotiate. For this specification, that means minimally {3, 4}. If previous versions of TLS are supported, they MUST NOT be present." Cheers, Brian
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls