Re: [TLS] TLS 1.3 - Support for compression to be removed

"Short, Todd" <> Wed, 07 October 2015 21:28 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id A58D21B310B for <>; Wed, 7 Oct 2015 14:28:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.721
X-Spam-Status: No, score=-0.721 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Zbqbc-eIzzGB for <>; Wed, 7 Oct 2015 14:28:32 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id AD2211B30F7 for <>; Wed, 7 Oct 2015 14:28:32 -0700 (PDT)
Received: from (localhost.localdomain []) by postfix.imss70 (Postfix) with ESMTP id E2CA0200041; Wed, 7 Oct 2015 21:28:31 +0000 (GMT)
Received: from ( []) by (Postfix) with ESMTP id CAB5520002D; Wed, 7 Oct 2015 21:28:31 +0000 (GMT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=a1; t=1444253311; bh=EASXD6Buim8j3XV7g7vSU5CvQngtnEg6yV59FcCbe6U=; l=14795; h=From:To:CC:Date:References:In-Reply-To:From; b=KwZkpQl0qNBaN5+A6lMJ7D+8WAu5UzkrJ0oZL38xeTXTfaFL5gaz+VQlZ/1iZ2lfl shdJJgdEnqn7XmJ49CsGzbNclte+H7p0QxUg5BDSbef+oPLnQaTULapCxqXLX7zSZM Mybrx/RZ4z0nnMCJlYO/s7gS8KbsG4O+M2/Q/iyc=
Received: from ( []) by (Postfix) with ESMTP id 9B16D1E0AC; Wed, 7 Oct 2015 21:28:31 +0000 (GMT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1076.9; Wed, 7 Oct 2015 16:28:31 -0500
Received: from ([]) by ([]) with mapi id 15.00.1076.000; Wed, 7 Oct 2015 16:28:30 -0500
From: "Short, Todd" <>
To: Eric Rescorla <>
Thread-Topic: [TLS] TLS 1.3 - Support for compression to be removed
Thread-Index: AQHRATmlz8vkrT+RfEa++i1UEDH43Z5g0u4AgAAIBoCAAADdAIAAA8SA
Date: Wed, 07 Oct 2015 21:28:29 +0000
Message-ID: <>
References: <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_49943603287F4C78AEC145628554C190akamaicom_"
MIME-Version: 1.0
Archived-At: <>
Cc: "" <>
Subject: Re: [TLS] TLS 1.3 - Support for compression to be removed
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 07 Oct 2015 22:17:21 -0000

However, for those ClientHello’s that support older versions, the compression_method field may contain other values. This means that if a TLSv1.3 client happened to support compression for TLSv1.2, it would be unable to negotiate that via a single ClientHello. There’s no way to attempt to negotiate TLSv1.2+compression and TLSv1.3+no-compression in a single ClientHello.

In effect, the document is stating that a TLSv1.3 client MUST NOT support compression, regardless of the protocol version that may be negotiated.

-Todd Short
// "One if by land, two if by sea, three if by the Internet."

On Oct 7, 2015, at 5:15 PM, Eric Rescorla <<>> wrote:

On Wed, Oct 7, 2015 at 11:11 PM, Martin Rex <<>> wrote:
Eric Rescorla wrote:
> Martin Rex <<>> wrote:
>> Eric Rescorla wrote:
>>> That is what the document says:
>>> "Versions of TLS before 1.3 supported compression and the list of
>>> compression methods was supplied in this field. For any TLS 1.3
>>> ClientHello, this field MUST contain only the ?null? compression method
>>> with the code point of 0. If a TLS 1.3 ClientHello is received with any
>>> other value in this field, the server MUST generate a fatal
>>> ?illegal_parameter? alert. Note that TLS 1.3 servers may receive TLS 1.2
>>> or prior ClientHellos which contain other compression methods and MUST
>>> follow the procedures for the appropriate prior version of TLS."
>> The quoted wording calls for a fatal handshake failure when ClientHello
>> offers
>>   TLSv1.2+compression  _or_  TLSv1.3
>> while at the same time the last requirement asserts that a ClientHello with
>>   TLSv1.2+compression
>> is perfectly OK.  To me, this looks quite odd.
> That's not how I read this text.
> Rather, I read it as:
> If ClientHelloVersion >= TLS 1.3
>    then the compression field must be empty
> else:
>    the compression field is dictated by other versions
> This doesn't seem inconsistent to me. If you still think that the paragraph
> reads differently, can you help me by diagramming it?

What you describe would be considerable worse that what I understood,
because it would mean that a TLSv1.3 ClientHello will be unconditionally
invalid for a TLSv1.2 server.<>

      This is a list of the compression methods supported by the client,
      sorted by client preference.  If the session_id field is not empty
      (implying a session resumption request), it MUST include the

Dierks & Rescorla           Standards Track                    [Page 41]

RFC 5246                          TLS                        August 2008

*>    compression_method from that session.  This vector MUST contain,
*>    and all implementations MUST support, CompressionMethod.null.
      Thus, a client and server will always be able to agree on a
      compression method.

Sorry, I spoke carelessly. It must contain solely the null method.


TLS mailing list<>