Simplify TLS 1.1 fallback

[martinthomson]

If negotiating TLS 1.1 or below, TLS 1.3 servers MUST, and TLS 1.2 servers SHOULD, set the last 8 bytes of their ServerHello.Random value to the bytes:

44 4F 57 4E 47 52 44 00 Note that [RFC8996] and Appendix E.5 forbid the negotation of TLS versions below 1.2; implementations which do not follow that guidance MUST behave as described above.

I think that this would be better phrased as:

RFC 8996 [RFC8996] and Appendix E.5 forbid the negotiation of TLS versions below 1.2. However, server implementations which do not follow that guidance MUST set the last 8 bytes of their ServerHello.random value to the bytes:

44 ...

Notes:

1. I think that it is ServerHello.Random and not ServerHello.random.
2. I don't think that we should loosen the mandate for TLS 1.2 servers. Servers that implement TLS 1.2 can simply choose to ignore this specification (as they already did prior to us starting work on TLS 1.3.

[ekr]

@martinthomson see the above. PR.

However, it is .random. The name of the type is Random, but the field is random:

       struct {
           ProtocolVersion legacy_version = 0x0303;    /* TLS v1.2 */
           Random random;