
<html>

  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">

  </head>

  <body text="#000000" bgcolor="#FFFFFF">

    On 09/18/2017 01:07 AM, Mahesh Bhoothapuri wrote:<br>

    <blockquote type="cite"

cite="mid:CAFTmK8FHgp5f=jgz3PTiNHoBx8_+z8p8SfHTuGCNV1DwiVjPJw@mail.gmail.com">

      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">

      <p style="font-family:Calibri,Helvetica,sans-serif;font-size:16px">Hi,</p>

      <p style="font-family:Calibri,Helvetica,sans-serif;font-size:16px">I

        am sending a Tls 1.3 client hello, and am seeing an issue with<br>

      </p>

      <p style="font-family:Calibri,Helvetica,sans-serif;font-size:16px">ossl_statem_client_write_<wbr>transition

        in statem_clnt.c.</p>

      <p style="font-family:Calibri,Helvetica,sans-serif;font-size:16px"><br>

      </p>

      <div

        style="font-family:Calibri,Helvetica,sans-serif;font-size:16px">   

        /*<br>

             * Note that immediately before/after a ClientHello we don't

        know what<br>

             * version we are going to negotiate yet, so we don't take

        this branch until<br>

             * later<br>

             */<br>

        <br>

        <div>/*<br>

           * ossl_statem_client_write_<wbr>transition() works out what

          handshake state to<br>

           * move to next when the client is writing messages to be sent

          to the server.<br>

           */<br>

          WRITE_TRAN ossl_statem_client_write_<wbr>transition(SSL *s)<br>

          {<br>

        </div>

        <br>

            if (SSL_IS_TLS13(s))<br>

                return ossl_statem_client13_write_<wbr>transition(s);</div>

      <div

        style="font-family:Calibri,Helvetica,sans-serif;font-size:16px">}</div>

      <p style="font-family:Calibri,Helvetica,sans-serif;font-size:16px">And

        in:</p>

      <p style="font-family:Calibri,Helvetica,sans-serif;font-size:16px"><br>

      </p>

      <div

        style="font-family:Calibri,Helvetica,sans-serif;font-size:16px">/*<br>

         * ossl_statem_client_write_trans<wbr>ition() works out what

        handshake state to<br>

         * move to next when the client is writing messages to be sent

        to the server.<br>

         */<br>

        WRITE_TRAN ossl_statem_client_write_trans<wbr>ition(SSL *s)<br>

        {<br>

        <br>

        <div>   /*<br>

               * Note: There are no cases for TLS_ST_BEFORE because we

          haven't negotiated<br>

               * TLSv1.3 yet at that point. They are handled by<br>

               * ossl_statem_client_write_trans<wbr>ition().<br>

               */<br>

        </div>

        <br>

        <div>    switch (st->hand_state) {<br>

              default:<br>

                  /* Shouldn't happen */<br>

                  return WRITE_TRAN_ERROR;<br>

          <br>

          }<br>

          <br>

          With a TLS 1.3 client hello, using tls 1.3 version, the

          st->hand_state is </div>

      </div>

    </blockquote>

    <br>

    Sorry, I just want to clarify what you are doing -- are you taking

    SSL_CTX_new(TLS_method()) and then calling

    SSL_CTX_set_min_proto_version(ctx, TLS1_3_VERSION) and

    SSL_CTX_set_max_proto_version(ctx, TLS1_3_VERSION)?<br>

    <br>

    I note that there is no version-specific TLSv1_3_method() available,

    and in any case, it's of questionable wisdom to attempt to force TLS

    1.3 only while the specification is still in draft status -- in any

    case where the client and server implementations are not tightly

    controlled, negotiation failures seem quite likely.<br>

    <br>

    <blockquote type="cite"

cite="mid:CAFTmK8FHgp5f=jgz3PTiNHoBx8_+z8p8SfHTuGCNV1DwiVjPJw@mail.gmail.com">

      <div

        style="font-family:Calibri,Helvetica,sans-serif;font-size:16px">

        <div>TLS_ST_BEFORE and so, the default error is returned.<br>

          <br>

          When I added :<br>

          <br>

          <div>    case TLS_ST_BEFORE:<br>

                    st->hand_state = TLS_ST_CW_CLNT_HELLO;<br>

                    return WRITE_TRAN_CONTINUE;<br>

            <br>

          </div>

        </div>

      </div>

    </blockquote>

    <br>

    The reason there is not currently a case for TLS_ST_BEFORE is that

    whether or not we're going to be using TLS 1.3 is supposed to be

    determined on the server as part of version negotiation, so when

    we're sending a ClientHello, our version is in an indeterminate

    status -- the general-purpose TLS method must be used at that part

    of the handshake.<br>

    <br>

    <blockquote type="cite"

cite="mid:CAFTmK8FHgp5f=jgz3PTiNHoBx8_+z8p8SfHTuGCNV1DwiVjPJw@mail.gmail.com">

      <div

        style="font-family:Calibri,Helvetica,sans-serif;font-size:16px">

        <div>

          <div>The client hello gets sent out, but I only saw a TLS 1.2

            version being sent.</div>

          <div>Is this a bug?<br>

          </div>

        </div>

      </div>

    </blockquote>

    <br>

    The legacy_version field in a TLS 1.3 ClientHello will be 0x0303,

    matching the historical value for TLS 1.2.  The actual list of

    versions are conveyed in a "supported_versions" extension, which is

    what you need to be looking at.<br>

    <br>

    -Ben<br>

  </body>

</html>