[openssl-dev] TLS 1.3 non compliance with current draft
Hubert Kario
hkario at redhat.com
Fri Sep 1 17:05:51 UTC 2017
When openssl sends a second Client Hello message, it modifies it quite
extensively, not only client_random is changed but also advertised cipher
suites.
see https://github.com/openssl/openssl/issues/4292
That makes it non-compliant with the current draft (-21):
When a client first connects to a server, it is REQUIRED to send the
ClientHello as its first message. The client will also send a
ClientHello when the server has responded to its ClientHello with a
HelloRetryRequest. In that case, the client *MUST send the same*
*ClientHello* (without modification) except:
- If a "key_share" extension was supplied in the HelloRetryRequest,
replacing the list of shares with a list containing a single
KeyShareEntry from the indicated group.
- Removing the "early_data" extension (Section 4.2.9) if one was
present. Early data is not permitted after HelloRetryRequest.
- Including a "cookie" extension if one was provided in the
HelloRetryRequest.
- Updating the "pre_shared_key" extension if present by recomputing
the "obfuscated_ticket_age" and binder values and (optionally)
removing any PSKs which are incompatible with the server's
indicated cipher suite.
--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20170901/f9723df0/attachment-0001.sig>
More information about the openssl-dev
mailing list