I think for question 1, it should ignore legacy_version, and select a version from supported_versions, because if a client only supports TLS 1.1 and TLS 1.3, in order to connect to pre-TLS1.3 server, it has to set legacy_version to TLS 1.1.
I have no idea about questions 2 or 3. Best, Xiaoyin From: Matt Caswell<mailto:fr...@baggins.org> Sent: Monday, October 31, 2016 2:44 PM To: tls@ietf.org<mailto:tls@ietf.org> Subject: [TLS] supported_versions question A few supported_versions questions: 1) What should a server do if supported_versions is received but ClientHello.legacy_version != TLS1.2? Fail the handshake, or just ignore legacy_version? 2) What should a server do if supported_versions is received, ClientHello.legacy_version == TLS1.2, but supported_versions does not contain TLS1.3 or TLS1.2 (e.g. it contains TLS1.1 or below)? Fail the handshake, use the legacy_version, or use use the versions in supported_versions? 3) If the answer to (2) above is ignore the legacy_version, and just use the versions in supported_versions, which client_version should be used in the RSA pre-master secret calculation? The one in legacy_version, or the highest one in supported_versions? Presumably it has to be the one in legacy_version, otherwise thing will fail when the client talks to a server that doesn't understand supported_versions? Matt _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
_______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls