Re: [TLS] Warning alert before TLS 1.3 ServerHello

R duToit <> Thu, 10 May 2018 14:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 41F971243FE for <>; Thu, 10 May 2018 07:59:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 76lg0L4nIryT for <>; Thu, 10 May 2018 07:59:39 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C8DF91241FC for <>; Thu, 10 May 2018 07:59:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; t=1525964375; s=zoho;;; h=Date:From:To:Cc:Message-Id:In-Reply-To:References:Subject:MIME-Version:Content-Type; l=3988; bh=GCbV98XohYe7HvirVYR3p0h2W6hiJRkyA4pCV/J21x0=; b=yrZ1deLI17DLL0uwUYhvZ/VnV5OBZCpEvuLtSIlff+Q9glLrB3JGs2qK1O2EEjUU TVX+YksDTv9a3ysvdsSoBfNhh9Np+/H15pEOCSbKkwUQkN21XSBASX5nheM7TlbYrl4 dikkppRKwpETJJqkZE0TUsACPArA/Rx3aPdzv1Lo=
Received: from by with SMTP id 1525964375179174.29971095914402; Thu, 10 May 2018 07:59:35 -0700 (PDT)
Date: Thu, 10 May 2018 10:59:35 -0400
From: R duToit <>
To: Martin Thomson <>
Cc: "<>" <>
Message-Id: <>
In-Reply-To: <>
References: <> <> <> <> <>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_Part_86147_1485997327.1525964375177"
X-Priority: Medium
User-Agent: Zoho Mail
X-Mailer: Zoho Mail
Archived-At: <>
Subject: Re: [TLS] Warning alert before TLS 1.3 ServerHello
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 10 May 2018 14:59:40 -0000

The server sending the alert at warning level while knowing that it is about to negotiate TLS 1.3 seems to be in violation of the statement that "All alerts listed in Section 6.2 MUST be sent with AlertLevel=fatal," - that is probably more of an implementation issue.

The client's reaction to the warning alert is what is ambiguous.  Some TLS 1.3 client implementations will ignore the alert, while others will choke.

---- On Thu, 10 May 2018 02:05:18 -0400 Martin Thomson &lt;; wrote ---- 

On Thu, May 10, 2018 at 1:48 PM Viktor Dukhovni &lt;; 
&gt; I may be misreading the code, but it sure looks like the alert is only 
&gt; sent if the application callback for the server name extension asks 
&gt; OpenSSL to do that. The application can just decline the extension 
&gt; and let the handshake continue with a default certificate... Is 
&gt; the surprise that the alert is sent, or that it is a warning, or 
&gt; something else? 
It's risking a failed connection. Though perhaps not that much more than 
providing the client with a certificate it might not like. 
TLS mailing list