-
Notifications
You must be signed in to change notification settings - Fork 158
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #1321 from ekr/issue1310
- Loading branch information
Showing
1 changed file
with
8 additions
and
9 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -517,7 +517,7 @@ specific technical changes: | |
|
|
||
| - Forbid negotiating TLS 1.0 and 1.1 as they are now deprecated by {{!RFC8996}}. | ||
|
|
||
| - Removes ambiguity around which hash is used with PreSharedKeys and | ||
| - Removes ambiguity around which hash is used with PreSharedKeys and | ||
| HelloRetryRequest. | ||
|
|
||
| - Require that clients ignore NewSessionTicket if they do not | ||
|
|
@@ -1568,16 +1568,15 @@ Random value to the bytes: | |
|
|
||
| 44 4F 57 4E 47 52 44 01 | ||
|
|
||
| If negotiating TLS 1.1 or below, TLS 1.3 servers MUST, and TLS 1.2 | ||
| servers SHOULD, set the last 8 bytes of their ServerHello.Random value to the | ||
| {{RFC8996}} and {{backward-compatibility-security}} forbid | ||
| the negotiation of TLS versions below 1.2. However, server | ||
| implementations which do not follow that guidance MUST | ||
| set the last 8 bytes of their ServerHello.random value to the | ||
| bytes: | ||
|
|
||
| 44 4F 57 4E 47 52 44 00 | ||
|
|
||
|
|
||
| Note that {{RFC8996}} and {{backward-compatibility-security}} forbid | ||
| the negotation of TLS versions below 1.2; implementations which do not | ||
| follow that guidance MUST behave as described above. | ||
|
|
||
| TLS 1.3 clients receiving a ServerHello indicating TLS 1.2 or below | ||
| MUST check that the last 8 bytes are not equal to either of these values. | ||
|
|
@@ -3931,7 +3930,7 @@ There are cryptographic limits on the amount of plaintext which can be | |
| safely encrypted under a given set of keys. {{AEAD-LIMITS}} provides | ||
| an analysis of these limits under the assumption that the underlying | ||
| primitive (AES or ChaCha20) has no weaknesses. Implementations MUST | ||
| either close the connection or | ||
| either close the connection or | ||
| do a key update as described in {{key-update}} prior to reaching these limits. | ||
| Note that it is not possible to perform a KeyUpdate for early data | ||
| and therefore implementations MUST not exceed the limits | ||
|
|
@@ -6122,7 +6121,7 @@ Since -05 | |
| - Reference RFC 8773 (PR 1296) | ||
| - Add some more information about application bindings and cite | ||
| 6125-bis (PR 1297) | ||
|
|
||
| Since -04 | ||
|
|
||
| * Update the extension table (Issue 1241) | ||
|
|
@@ -6446,7 +6445,7 @@ Since -00 | |
| Brian Smith | ||
| Independent | ||
| [email protected] | ||
|
|
||
| Ben Smyth | ||
| Ampersand | ||
| www.bensmyth.com | ||
|
|
||