[openssl-dev] TLS 1.3 non compliance with current draft
Matt Caswell
matt at openssl.org
Mon Sep 4 06:51:19 UTC 2017
On 01/09/17 18:05, Hubert Kario wrote:
> When openssl sends a second Client Hello message, it modifies it quite
> extensively, not only client_random is changed but also advertised cipher
> suites.
>
> see https://github.com/openssl/openssl/issues/4292
>
> That makes it non-compliant with the current draft (-21):
Yes, I've seen the github issue on this. I will take a look at this at
some point this week.
Matt
>
> When a client first connects to a server, it is REQUIRED to send the
> ClientHello as its first message. The client will also send a
> ClientHello when the server has responded to its ClientHello with a
> HelloRetryRequest. In that case, the client *MUST send the same*
> *ClientHello* (without modification) except:
>
> - If a "key_share" extension was supplied in the HelloRetryRequest,
> replacing the list of shares with a list containing a single
> KeyShareEntry from the indicated group.
>
> - Removing the "early_data" extension (Section 4.2.9) if one was
> present. Early data is not permitted after HelloRetryRequest.
>
> - Including a "cookie" extension if one was provided in the
> HelloRetryRequest.
>
> - Updating the "pre_shared_key" extension if present by recomputing
> the "obfuscated_ticket_age" and binder values and (optionally)
> removing any PSKs which are incompatible with the server's
> indicated cipher suite.
>
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 480 bytes
Desc: OpenPGP digital signature
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20170904/a8d9b836/attachment.sig>
More information about the openssl-dev
mailing list