On Mon, Oct 17, 2016 at 10:25:07AM -1000, Brian Smith wrote:
> Hubert Kario <hka...@redhat.com> wrote:
> 
> > Currently the description of the extension states that only TLS versions
> > can
> > be listed in the extension and all unknown versions must be ignored.
> >
> > I wonder if making it explicit that {3, 0} and any lower values MUST NOT be
> > advertised wouldn't be a good idea, if only to hammer it that SSL3 must
> > not be
> > used.
> >
> 
> AFAICT, there's no need to list any version in that extension lower than
> TLS 1.2, and maybe not even TLS 1.2. If the server understand the extension
> then it is (almost?) definitely a TLS 1.3+ implementation, so it should
> choose TLS 1.3 or later. If the server doesn't understand the extension
> then it will use the ClientHello.legacy_version field for version
> negotiation.
> 
> Therefore, I suggest the following change:
> 
> OLD: "Implementations of this specification MUST send this extension
> containing all versions of TLS which they are prepared to negotiate. For
> this specification, that means minimally {3, 4}, but if previous versions
> of TLS are supported, they MUST be present as well."
> 
> NEW: "Implementations of this specification MUST send this extension
> containing all versions of TLS from TLS 1.3 onwards (only) which they are
> prepared to negotiate. For this specification, that means minimally {3, 4}.
> If previous versions of TLS are supported, they MUST NOT be present."

Omitting TLS 1.2 causes failures in some downnegotiation cases (when there
are higher versions supported, but not overlapping).

OTOH, negotiating 1.0 or 1.1 with this extension supported at both sides
is very unlikely.


-Ilari

_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls

Reply via email to