Re: [TLS] Warning alert before TLS 1.3 ServerHello

Martin Thomson <> Thu, 10 May 2018 02:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 8D2241200C5 for <>; Wed, 9 May 2018 19:07:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id thEkr2gECL5H for <>; Wed, 9 May 2018 19:07:49 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4003:c0f::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 9F641129C70 for <>; Wed, 9 May 2018 19:07:49 -0700 (PDT)
Received: by with SMTP id t1-v6so598128oth.8 for <>; Wed, 09 May 2018 19:07:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=UnWmRwpZw3wsDIYvqfmEDMKZfjmx5mfPtfcVZK5exps=; b=q1xS97k2iTTH84Yl6IMKlMoMJlEgfipVkV2Xtmfg1FzWjBxlyFgRzy1R29pgqcimF+ pN4vIw3oCTUhA5KVpWQdYPn+3F1S2F7F15jUdeA1kQxJ6BnDulM4vQMa21oCIXZG7tRj BKQfv+Hjuc3Y+1539Z+nw3FpnoP/KWZawdpwOJkIaNwpSt8HuDxKuFFRHuN/mLuJNn+u R7FQpee/W2dPY7lL5EP/DtBOOM9FS8H3GE1Dq4S2reN9ImLbzA/oS7UFKEtS0dx3/ls2 Iq4vuat51+PT9pAqQ6QUCBFgjFPv+JiVpxMt2Nz246MU53VVoDkqcaXFCIs63tEAkCG9 0pHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=UnWmRwpZw3wsDIYvqfmEDMKZfjmx5mfPtfcVZK5exps=; b=Ae0+gn65CJ9BIP7BIC49e7QLvGDdBGrPXKtMDfH0t9qvdew875x9XyQQtHkDin98gS tzFRaIzB3tFkLYoAMDC7FYaPHYOZCKudyeTLeCiIkdmMajmu4huaATv0y/efsxZEdYj+ 0aqs+tZASzgdk3tIuJAsS7zYckHP9NPb79TlY8kL+X5HulcLdR9eB1BpoSsxNC7PBakG DzR6BWgkofWqi7NajSY46pSwBjx4jOb1M4CUkQbkLdholZhytgkAGClMr0Qkl+k7gMhF eLeD80K4YAWGZI3C7DQM1YpP04+pTv3eP6eoWeyMsVftE+Ab3l008E+mOY9PvvTFlIsJ fleg==
X-Gm-Message-State: ALQs6tCl1qxYWuZykhIp7va0PkGba1feKnG8OvEJJHgqNT3RnCYvEWn7 CO5yattYFs5nsTcb5d0fBdYpEoxu+RUnjGp6U8OWPA==
X-Google-Smtp-Source: AB8JxZrPb1JMMP8+i1xJbDQiNygf0fLfi67ua9TBS7Vn5w4ixWdCq6ljyII26w82crNZ9uLPG/ZNgVsyutJUveQmzVA=
X-Received: by 2002:a9d:3a65:: with SMTP id j92-v6mr36980610otc.352.1525918068396; Wed, 09 May 2018 19:07:48 -0700 (PDT)
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
From: Martin Thomson <>
Date: Thu, 10 May 2018 02:07:37 +0000
Message-ID: <>
To: Eric Rescorla <>
Cc:, "<>" <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [TLS] Warning alert before TLS 1.3 ServerHello
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 10 May 2018 02:07:51 -0000

This alert is actually fairly common (though I'm surprised to see OpenSSL
still doing it) and clients need to handle it, unfortunately.  Before the
client has any confirmation that it is doing TLS 1.3, it has to assume that
the server is any TLS version.

Of course, if the client isn't prepared to negotiate earlier versions, it
might choke on that alert based on the TLS 1.3 alert handling roles, so the
server shouldn't really be sending it.  If the spec is still available for
changes, it's probably worth mentioning this issue.  I forgot to check the
spec when I made/reviewed the corresponding change in NSS.
On Thu, May 10, 2018 at 3:57 AM Eric Rescorla <> wrote:

> But it actually sends an SH? That seems odd and kind of an ambiguous
point in the spec.

> -Ekr

> On Wed, May 9, 2018 at 10:14 AM, Roelof duToit <> wrote:

>> In one of our tests OpenSSL 1.1.1-dev sends an unrecognized_name warning
alert before a TLS 1.3 (draft 26) ServerHello.  Alert level is supposed to
be implicit in TLS 1.3, but in this case it is ambiguous.  Should it even
be considered a “TLS 1.3 alert” given that it arrives before the protocol
version is confirmed?

>> TLS 1.3 draft section 6 states that "All the alerts listed in Section
6.2 MUST be sent with AlertLevel=fatal and MUST be treated as error alerts
regardless of the AlertLevel in the message”.   Is the client supposed to
remember that it received a warning level alert and terminate after parsing
the ServerHello?

>> —Roelof

>> _______________________________________________
>> TLS mailing list

> _______________________________________________
> TLS mailing list