Re: [TLS] consensus on backwards compatibility changes

[mrex@sap.com (Martin Rex)]

Sean Turner wrote:
> 
> 1) We'd like to make it crystal clear in the SSL3.0 text whether you're
> talking about the hello version or record version. We're pretty sure that
> 'protocol version' in the following is the hello version but we think
> that should be made clear.
> 
>  Implementations MUST NOT send a ClientHello or ServerHello with
>  the protocol version set to { 3, 0 } or less. Any endpoint receiving a
>  Hello message with the protocol version set to { 3, 0 } MUST respond
>  with a "protocol_version" alert message and close the connection.


A description similar to this caused the TLS version negotiation problems.
The structure members in the handshake message PDUs are called
ClientHello.client_version and ServerHello.server_version.

If the above paragraph is meant to apply to the structure members
(client_version, server_version) of the respective TLS handshake message PDUs
(ClientHello, ServerHello), then please use the names of these structure
members for disambiguation.


We really should retain the TLSv1.2 requirement that TLS v1.3 servers
MUST accept any version number (3,x) at the TLS record layer for TLS
records sent before ServerHello in a TLS handshake on a new connection.

The TLS record that carries ServerHello is the first TLS record where
the version of the protocol is well defined for the server, i.e. the sender
of the record(s) that carry ServerHello.  For the client (recipient
of the ServerHello), the version becomes known only after it has started
parsing the ServerHello handshake message.  It is still unknown to the
client when it is receiving the TLS record that carries ServerHello.


-Martin