search

tlswg / tls13-spec

TLS 1.3 Specification
565 stars 157 forks source link

Errata 6136 #1355

Closed BenSmyth closed 1 month ago

BenSmyth commented 3 months ago

Errata 6136

Section 4.1.4 says:

Upon receipt of a HelloRetryRequest, the client MUST check the legacy_version, legacy_session_id_echo, cipher_suite, and legacy_compression_method as specified in Section 4.1.3

but

Section 4.1.3 defines no checks for legacy_version nor legacy_compression_method

Specifically, we have (RFC8446)

...the legacy_version field MUST be set to 0x0303...

and

legacy_compression_method: A single byte which MUST have the value 0.

neither of which are checks, whereas

A client which receives a legacy_session_id_echo field that does not match what it sent in the ClientHello MUST abort the handshake with an "illegal_parameter" alert.

and

A client which receives a cipher suite that was not offered MUST abort the handshake with an "illegal_parameter" alert.

i.e, clients perform checks on legacy_session_id_echo and illegal_parameter, but not legacy_version nor legacy_compression_method. Either (1) wording in Section 4.1.4 should state checks if needed, (2) revise Section 4.1.4 as follows "Upon receipt of a HelloRetryRequest, the client MUST check the legacy_session_id_echo and cipher_suite as specified in Section 4.1.3." or (3) I've misunderstood.

ekr commented 1 month ago

I concur. https://github.com/tlswg/tls13-spec/pull/1364 fixes this.