From d6c78e2facccf9a6daed791919f195d75f572108 Mon Sep 17 00:00:00 2001 From: EKR Date: Thu, 6 Jul 2023 20:02:04 -0700 Subject: [PATCH 1/3] MT's proposed change. Fixes #1310. Fixes #1319 --- draft-ietf-tls-rfc8446bis.md | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/draft-ietf-tls-rfc8446bis.md b/draft-ietf-tls-rfc8446bis.md index ed39a2d6..7c8df11f 100644 --- a/draft-ietf-tls-rfc8446bis.md +++ b/draft-ietf-tls-rfc8446bis.md @@ -1563,16 +1563,15 @@ Random value to the bytes: 44 4F 57 4E 47 52 44 01 -If negotiating TLS 1.1 or below, TLS 1.3 servers MUST, and TLS 1.2 -servers SHOULD, set the last 8 bytes of their ServerHello.Random value to the +{{RFC8996}} and {{backward-compatibility-security}} forbid +the negotation of TLS versions below 1.2. However, server +implementations which do not follow that guidance MUST +set the last 8 bytes of their ServerHello.random value to the bytes: 44 4F 57 4E 47 52 44 00 -Note that {{RFC8996}} and {{backward-compatibility-security}} forbid -the negotation of TLS versions below 1.2; implementations which do not -follow that guidance MUST behave as described above. TLS 1.3 clients receiving a ServerHello indicating TLS 1.2 or below MUST check that the last 8 bytes are not equal to either of these values. From 332a7c096a5399133c4eb4b51480db70b236792d Mon Sep 17 00:00:00 2001 From: EKR Date: Thu, 6 Jul 2023 20:03:48 -0700 Subject: [PATCH 2/3] Fix lint --- draft-ietf-tls-rfc8446bis.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/draft-ietf-tls-rfc8446bis.md b/draft-ietf-tls-rfc8446bis.md index 7c8df11f..a7ea812a 100644 --- a/draft-ietf-tls-rfc8446bis.md +++ b/draft-ietf-tls-rfc8446bis.md @@ -517,7 +517,7 @@ specific technical changes: - Forbid negotiating TLS 1.0 and 1.1 as they are now deprecated by {{!RFC8996}}. -- Removes ambiguity around which hash is used with PreSharedKeys and +- Removes ambiguity around which hash is used with PreSharedKeys and HelloRetryRequest. - Require that clients ignore NewSessionTicket if they do not @@ -3925,7 +3925,7 @@ There are cryptographic limits on the amount of plaintext which can be safely encrypted under a given set of keys. {{AEAD-LIMITS}} provides an analysis of these limits under the assumption that the underlying primitive (AES or ChaCha20) has no weaknesses. Implementations MUST -either close the connection or +either close the connection or do a key update as described in {{key-update}} prior to reaching these limits. Note that it is not possible to perform a KeyUpdate for early data and therefore implementations MUST not exceed the limits @@ -6116,7 +6116,7 @@ Since -05 - Reference RFC 8773 (PR 1296) - Add some more information about application bindings and cite 6125-bis (PR 1297) - + Since -04 * Update the extension table (Issue 1241) @@ -6440,7 +6440,7 @@ Since -00 Brian Smith Independent brian@briansmith.org - + Ben Smyth Ampersand www.bensmyth.com From 1c10608a0f59984026a7c3531637f2b6e0a98ae4 Mon Sep 17 00:00:00 2001 From: Eric Rescorla Date: Fri, 7 Jul 2023 13:54:09 -0700 Subject: [PATCH 3/3] Update draft-ietf-tls-rfc8446bis.md --- draft-ietf-tls-rfc8446bis.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/draft-ietf-tls-rfc8446bis.md b/draft-ietf-tls-rfc8446bis.md index a7ea812a..d22bd459 100644 --- a/draft-ietf-tls-rfc8446bis.md +++ b/draft-ietf-tls-rfc8446bis.md @@ -1564,7 +1564,7 @@ Random value to the bytes: 44 4F 57 4E 47 52 44 01 {{RFC8996}} and {{backward-compatibility-security}} forbid -the negotation of TLS versions below 1.2. However, server +the negotiation of TLS versions below 1.2. However, server implementations which do not follow that guidance MUST set the last 8 bytes of their ServerHello.random value to the bytes: