According to section 4.1.4 in the RFC (draft 21): "The version, cipher_suite, and extensions fields have the same meanings as their corresponding values in the ServerHello". Typically, a ServerHello response to TLS 1.3 ClientHello has the protocol version set to 0x7F15 (or the relevant draft number instead of 0x15).
Two issues are apparent:
When miTLS server send a HelloRetryRequest, it has server_version=0x0304 (TLS 1.3) instead of 0x7F15
The miTLS client should have rejected the HelloRetryRequest with a "protocol_version" alert (as NSS does). Instead, the miTLS continues then handshake to completion.
ad-l
commented
6 years ago
According to section 4.1.4 in the RFC (draft 21): "The version, cipher_suite, and extensions fields have the same meanings as their corresponding values in the ServerHello". Typically, a ServerHello response to TLS 1.3 ClientHello has the protocol version set to 0x7F15 (or the relevant draft number instead of 0x15).
Two issues are apparent: