In the process of testing my TLS 1.3 draft-23 implementation against OpenSSL 
(openssl.git:50ea9d2b3521467a11559be41dcf05ee05feabd6) I ran into an 
interoperability issue: the retry ClientHello record header version is set at 
0x0301, while the ServerHello (HRR) and fake CCS records arriving from the 
server have record header version 0x0303.  I know this is according to the 
letter of the spec, specifically this sentence from Section 5.1:


In order to maximize backwards compatibility, records containing the 
ClientHello MUST have version 0x0301 and records containing the ServerHello 
MUST have version 0x0303, reflecting TLS 1.0 and TLS 1.2 respectively.


In diagram format:

0x0301:CH -->

<-- 0x0303:SH(HRR)

<-- 0x0303:CCS

0x0301:CH(retry) -->

<-- 0x0303:SH



.. but I do think it will cause more issues down the line due to the record 
header version toggling between 0x0301 and 0x0303.  At the point in the 
handshake where the retry ClientHello is sent the "compatibility mode" changes 
have already served its purpose.  I believe some interop issues could be 
avoided by sending the retry ClientHello with record header version 0x0303.




TLS mailing list

Reply via email to