Message info
To:Yoav Nir From:Eric Rescorla Subject:Re: [TLS] incompatibilities with ECC rfc Date:Sun, 18 Mar 2012 08:06:11 -0700

Well, the record header isn't used for negotiation. So while RFC 5246;
S E.2 does
in fact recommend this practice, there's no requirement that a client which
sends the 3.0/3.x pair actually supports the range 3.0-3.x.


On Sun, Mar 18, 2012 at 12:14 AM, Yoav Nir <> wrote:
> 3.0 in the TLS header
> 3.1/3.3 in the ClientHello
> 3.1/3.3 are the highest version you support, but you can obviously accept SSLv3, because of the TLS header
> -----Original Message-----
> From: Eric Rescorla []
> Sent: 17 March 2012 23:51
> To: Yoav Nir
> Cc: Marsh Ray;
> Subject: Re: [TLS] incompatibilities with ECC rfc
> On Sat, Mar 17, 2012 at 2:41 PM, Yoav Nir <> wrote:
>> On Mar 17, 2012, at 11:09 PM, Marsh Ray wrote:
>>> On 03/17/2012 03:33 PM, Nikos Mavrogiannopoulos wrote:
>>>> What do we do then? Live with interoperability issues?
>>>> Have other implementations run into it and handled it somehow?
>>> For the record, I suppose the official answer would be: use TLS 1.0
>>> or higher.
>>> I realize you may be testing the corner case explicitly, but really,
>>> are there any implementations that speak RFC 4132 ciphersuites but
>>> *don't* speak TLS?
>> Probably not. But there's also few if any web browsers that don't speak SSLv3. Most browsers will begin the SSL handshake at version 3.0 and indicate support in the ClientHello Version field for TLS 1.0 or 1.2 (everyone who's implemented 1.1 has implemented 1.2 by now). The same ClientHello that negotiates versions also negotiates ciphersuites, so the client offers SSLv3 and an ECC ciphersuite at the same time. It has to be ready for the case where the server replies at SSLv3, and chooses the ECC ciphersuite.
> Could you explain what you mean by "begin the SSL handshake at version 3.0"? You indicate the highest version you support (and nothing else) in the ClientHello.
> So you're not offering
> SSLv3--the server has no idea if you would accept it, and indeed if the server chooses it you are free to reject it.
> -Ekr
TLS mailing list